Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WER9Fz381n.exe

Overview

General Information

Sample name:WER9Fz381n.exe
renamed because original name is a hash value
Original sample name:40d22787e79f76e54bfeb359822a4b3ad8e6bef6.exe
Analysis ID:1546806
MD5:256506e20fe6bddbe08403debd4c39cc
SHA1:40d22787e79f76e54bfeb359822a4b3ad8e6bef6
SHA256:81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
Tags:exeReversingLabsuser-NDA0E
Infos:

Detection

Glupteba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Glupteba
AI detected suspicious sample
Contain functionality to detect virtual machines
Found Tor onion address
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WER9Fz381n.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\WER9Fz381n.exe" MD5: 256506E20FE6BDDBE08403DEBD4C39CC)
    • WER9Fz381n.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\WER9Fz381n.exe" MD5: 256506E20FE6BDDBE08403DEBD4C39CC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
GluptebaGlupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
    00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GluptebaYara detected GluptebaJoe Security
      00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.WER9Fz381n.exe.400000.5.raw.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
        0.3.WER9Fz381n.exe.37f0000.2.raw.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
          4.3.WER9Fz381n.exe.3700000.0.raw.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
            0.2.WER9Fz381n.exe.400000.4.raw.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
              4.2.WER9Fz381n.exe.400000.5.unpackJoeSecurity_GluptebaYara detected GluptebaJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-01T16:05:12.898524+010020229301A Network Trojan was detected52.149.20.212443192.168.2.749817TCP
                2024-11-01T16:05:54.163569+010020229301A Network Trojan was detected52.149.20.212443192.168.2.763612TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: WER9Fz381n.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: WER9Fz381n.exeReversingLabs: Detection: 84%
                Yara detected Glupteba
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.2f70e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.2e80e67.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7480, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
                Machine Learning detection for sample
                Source: WER9Fz381n.exeJoe Sandbox ML: detected

                Bitcoin Miner

                barindex
                Yara detected Glupteba
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.2f70e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.2e80e67.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7480, type: MEMORYSTR

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 0.2.WER9Fz381n.exe.400000.4.unpack
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 4.2.WER9Fz381n.exe.400000.5.unpack
                Source: WER9Fz381n.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: Loader.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EfiGuardDxe.pdb7 source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: symsrv.pdb source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Unable to locate the .pdb file in this location source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: The module signature does not match with .pdb signature. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: .pdb.dbg source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: '(EfiGuardDxe.pdbx source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: symsrv.pdbGCTL source: WER9Fz381n.exe, 00000000.00000003.1387384767.0000000004018000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000003799000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: or you do not have access permission to the .pdb location. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EfiGuardDxe.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dbghelp.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dbghelp.pdbGCTL source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\muxusad\viwep\gokixetuweton suhip90\hobeloz_cawico.pdb source: WER9Fz381n.exe

                Networking

                barindex
                Found Tor onion address
                Source: WER9Fz381n.exeString found in binary or memory: 5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qker
                Source: WER9Fz381n.exeString found in binary or memory: atible; Exabot/3.0; http://www.exabot.com/go/robot)Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.oniont
                Source: WER9Fz381n.exeString found in binary or memory: freeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fall
                Source: WER9Fz381n.exeString found in binary or memory: getenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check fa
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Windows\system32C:\Windows\system32\advapi32.dllS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionhttp://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CBE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Windows\system32\advapi32.dllhttp://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: WER9Fz381n.exeString found in binary or memory: 5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qker
                Source: WER9Fz381n.exeString found in binary or memory: atible; Exabot/3.0; http://www.exabot.com/go/robot)Opera/9.80 (J2ME/MIDP; Opera Mini/5.0.16823/1428; U; en) Presto/2.2.0http2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.oniont
                Source: WER9Fz381n.exeString found in binary or memory: freeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fall
                Source: WER9Fz381n.exeString found in binary or memory: getenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check fa
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7current filenname with args "C:\Users\user\Desktop\WER9Fz381n.exe"
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion9e146be9-c76a-4720-bcdb-53011b87bd06
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: Pakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8address already in useadvapi32.dll not foundapplication/javascriptargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcouldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdownloading obfs4proxydriver: bad connectionelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: expected multiple of 2failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/idna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: t.span= runtime: physPageSize=runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wspan has no free spacestack not a power of 2status/bootstrap-phasetimer goroutine (idle)trace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codewirep: invalid p statewrite on closed bufferzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Joe Sandbox ViewIP Address: 46.8.8.100 46.8.8.100
                Source: Joe Sandbox ViewIP Address: 46.8.8.100 46.8.8.100
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49817
                Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:63612
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ww82.trythisgid.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                Source: WER9Fz381n.exeString found in binary or memory: Gecko)Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: received unexpected handshake message of type %T when waiting for %TBlackBerry7100i/4.1.0 Profile/MIDP- equals www.facebook.com (Facebook)
                Source: WER9Fz381n.exeString found in binary or memory: cko Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)26959946667150639794667015087019625940457807714424391721682722368061269599466671506397946670150870196306735579 equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: trythisgid.com
                Source: global trafficDNS traffic detected: DNS query: ww82.trythisgid.com
                Source: unknownHTTP traffic detected: POST /app-install-failure HTTP/1.1Host: trythisgid.comUser-Agent: Go-http-client/1.1Content-Length: 166Accept-Encoding: gzip
                Source: WER9Fz381n.exeString found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
                Source: WER9Fz381n.exe, 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.g
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.000000000358B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000349B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.000000000358B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000349B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.000000000358B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000349B000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CBE000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CF2000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion9e146be9-c76a-4720-bcdb-53011b8
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionS-1-5-21-2246122658-3693405117-
                Source: WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionhttp://dg2sz7pxs7llf2t25fsbutlv
                Source: WER9Fz381n.exeString found in binary or memory: http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.oniont
                Source: WER9Fz381n.exeString found in binary or memory: http://gais.cs.ccu.edu.tw/robot.php)Gulper
                Source: WER9Fz381n.exeString found in binary or memory: http://grub.org)Mozilla/5.0
                Source: WER9Fz381n.exeString found in binary or memory: http://help.yahoo.com/help/us/ysea
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://invalidlog.txtlookup
                Source: WER9Fz381n.exeString found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
                Source: WER9Fz381n.exeString found in binary or memory: http://search.ms
                Source: WER9Fz381n.exeString found in binary or memory: http://search.msn.com/msn
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF4000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013C10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ww82.trythisgid.com/
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013C10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ww82.trythisgid.com/Fri
                Source: WER9Fz381n.exeString found in binary or memory: http://www.alexa.com/help/webmasters;
                Source: WER9Fz381n.exeString found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)POLARIS/6.01(BREW
                Source: WER9Fz381n.exeString found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
                Source: WER9Fz381n.exeString found in binary or memory: http://www.bloglines.com)F
                Source: WER9Fz381n.exeString found in binary or memory: http://www.everyfeed.com)explicit
                Source: WER9Fz381n.exeString found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
                Source: WER9Fz381n.exeString found in binary or memory: http://www.google.com/adsbot.html)Encountered
                Source: WER9Fz381n.exeString found in binary or memory: http://www.google.com/bot.h
                Source: WER9Fz381n.exeString found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
                Source: WER9Fz381n.exeString found in binary or memory: http://www.google.com/bot.html)tls:
                Source: WER9Fz381n.exeString found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
                Source: WER9Fz381n.exeString found in binary or memory: http://www.googlebot.com/bot.html)Links
                Source: WER9Fz381n.exeString found in binary or memory: http://www.spidersoft.com)Wget/1.9
                Source: WER9Fz381n.exeString found in binary or memory: http://yandex.com/bots)Opera/9.51
                Source: WER9Fz381n.exeString found in binary or memory: http://yandex.com/bots)Opera/9.80
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://blockchain.infoindex
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://blockstream.info/apiinvalid
                Source: WER9Fz381n.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1023299088751538198/1023549843135795230/to
                Source: WER9Fz381n.exeString found in binary or memory: https://cdn.discordapp.com/attachments/925779512644497442/933676145558310953/obfs4proxy.exehttps://g
                Source: WER9Fz381n.exeString found in binary or memory: https://raw.githubusercontent.c
                Source: WER9Fz381n.exeString found in binary or memory: https://trythisgid.com/app-install-failureinsufficient
                Source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)gentraceback
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D82000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D6E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443

                E-Banking Fraud

                barindex
                Yara detected Glupteba
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.2f70e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.2e80e67.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7480, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F76FF70_2_02F76FF7
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02FC09D70_2_02FC09D7
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F7A9670_2_02F7A967
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E86FF74_2_02E86FF7
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02ED09D74_2_02ED09D7
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E8A9674_2_02E8A967
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: String function: 02F9C597 appears 53 times
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: String function: 02F9AEC7 appears 71 times
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: String function: 02EAC597 appears 53 times
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: String function: 02EAAEC7 appears 71 times
                Source: WER9Fz381n.exeStatic PE information: invalid certificate
                Source: WER9Fz381n.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
                Source: WER9Fz381n.exeBinary or memory string: OriginalFilename vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.000000000358B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.0000000004018000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.0000000004018000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.0000000003799000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.0000000003799000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exeBinary or memory string: OriginalFilename vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.000000000349B000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedsefix.exe. vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDBGHELP.DLLj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesymsrv.dllj% vs WER9Fz381n.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinmonFS.sysZ vs WER9Fz381n.exe
                Source: WER9Fz381n.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.evad.winEXE@2/0@2/2
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7B7C6 CreateToolhelp32Snapshot,Module32First,0_2_02B7B7C6
                Source: WER9Fz381n.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\WER9Fz381n.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                Source: C:\Users\user\Desktop\WER9Fz381n.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: WER9Fz381n.exeReversingLabs: Detection: 84%
                Source: WER9Fz381n.exeString found in binary or memory: ackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCach
                Source: WER9Fz381n.exeString found in binary or memory: ker initGetConsoleModeGetProcAddressGetShellWindowGetSystemTimesGetTickCount64GetUserNameExWGetWindowTextWGooglebot-NewsHTMLParser/1.6ICE-CONTROLLEDINTERNAL_ERRORInstEmptyWidthIsWellKnownSidIsWow64ProcessLoadLibraryExWMAPPED-ADDRESSMAX_FRAME_SIZEMB; allocated
                Source: WER9Fz381n.exeString found in binary or memory: application/app/install.go
                Source: WER9Fz381n.exeString found in binary or memory: application/resilience/btcblockchain/address.go
                Source: WER9Fz381n.exeString found in binary or memory: is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: ^\x00-\x{10FFFF}address is emptyafter ob
                Source: WER9Fz381n.exeString found in binary or memory: unknown network workbuf is emptywrite config: %wwww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTok
                Source: WER9Fz381n.exeString found in binary or memory: %wfailed to restrict Tor service control: %wgrew heap, but no adequate free span foundhttp: ContentLength=%d with Body length %dhttps://trythisgid.com/app-install-failureinsufficient data for resource body lengthinvalid HTTP header value %q for header %qlookin
                Source: WER9Fz381n.exeString found in binary or memory: Temporary RedirectTerminateJobObjectUNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESS[^\x00-\x{10FFFF}]bad Content-Lengthbad manualFreeListbufio: buffer fullconnection refusedcontext.
                Source: WER9Fz381n.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                Source: WER9Fz381n.exeString found in binary or memory: is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECTION-ID
                Source: WER9Fz381n.exeString found in binary or memory: workbuf is emptywrite config: %wwww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESS
                Source: WER9Fz381n.exeString found in binary or memory: ackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCach
                Source: WER9Fz381n.exeString found in binary or memory: ker initGetConsoleModeGetProcAddressGetShellWindowGetSystemTimesGetTickCount64GetUserNameExWGetWindowTextWGooglebot-NewsHTMLParser/1.6ICE-CONTROLLEDINTERNAL_ERRORInstEmptyWidthIsWellKnownSidIsWow64ProcessLoadLibraryExWMAPPED-ADDRESSMAX_FRAME_SIZEMB; allocated
                Source: WER9Fz381n.exeString found in binary or memory: application/app/install.go
                Source: WER9Fz381n.exeString found in binary or memory: application/resilience/btcblockchain/address.go
                Source: WER9Fz381n.exeString found in binary or memory: is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: ^\x00-\x{10FFFF}address is emptyafter ob
                Source: WER9Fz381n.exeString found in binary or memory: unknown network workbuf is emptywrite config: %wwww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTok
                Source: WER9Fz381n.exeString found in binary or memory: %wfailed to restrict Tor service control: %wgrew heap, but no adequate free span foundhttp: ContentLength=%d with Body length %dhttps://trythisgid.com/app-install-failureinsufficient data for resource body lengthinvalid HTTP header value %q for header %qlookin
                Source: WER9Fz381n.exeString found in binary or memory: Temporary RedirectTerminateJobObjectUNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESS[^\x00-\x{10FFFF}]bad Content-Lengthbad manualFreeListbufio: buffer fullconnection refusedcontext.
                Source: WER9Fz381n.exeString found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
                Source: WER9Fz381n.exeString found in binary or memory: is nil, not nStackRoots= out of range s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625:UseSTD3RulesAccept-RangesAuthorizationCLIENT_RANDOMCONNECTION-ID
                Source: WER9Fz381n.exeString found in binary or memory: workbuf is emptywrite config: %wwww-authenticate initialHeapLive= spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method ; SameSite=StrictAdjustTokenGroupsCOMPRESS
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile read: C:\Users\user\Desktop\WER9Fz381n.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\WER9Fz381n.exe "C:\Users\user\Desktop\WER9Fz381n.exe"
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess created: C:\Users\user\Desktop\WER9Fz381n.exe "C:\Users\user\Desktop\WER9Fz381n.exe"
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
                Source: WER9Fz381n.exeStatic file information: File size 4253224 > 1048576
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: WER9Fz381n.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x3eb600
                Source: WER9Fz381n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: Loader.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EfiGuardDxe.pdb7 source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: symsrv.pdb source: WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\Release\WinmonProcessMonitor.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Unable to locate the .pdb file in this location source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: The module signature does not match with .pdb signature. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: .pdb.dbg source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: '(EfiGuardDxe.pdbx source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: symsrv.pdbGCTL source: WER9Fz381n.exe, 00000000.00000003.1387384767.0000000004018000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000003799000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000036A9000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003F28000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: or you do not have access permission to the .pdb location. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: EfiGuardDxe.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Users\vladimir\source\repos\driver-process-monitor\x64\Release\WinmonProcessMonitor.pdb source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dbghelp.pdb source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: dbghelp.pdbGCTL source: WER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\muxusad\viwep\gokixetuweton suhip90\hobeloz_cawico.pdb source: WER9Fz381n.exe

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 0.2.WER9Fz381n.exe.400000.4.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 4.2.WER9Fz381n.exe.400000.5.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.symtab:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 0.2.WER9Fz381n.exe.400000.4.unpack
                Source: C:\Users\user\Desktop\WER9Fz381n.exeUnpacked PE file: 4.2.WER9Fz381n.exe.400000.5.unpack
                Source: WER9Fz381n.exeStatic PE information: real checksum: 0x410d11 should be: 0x40e96a
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7F8EB pushad ; iretd 0_2_02D881C8
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B80E20 push eax; ret 0_2_02B80E21
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7D87E push eax; ret 0_2_02B7D87F
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7CE56 push ecx; ret 0_2_02B7CE5B
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7CA56 push es; ret 0_2_02B7CA57
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7CD87 pushfd ; ret 0_2_02B7CD88
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7FB32 push esp; ret 0_2_02B7FB3A
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7D974 push eax; ret 0_2_02B7D980
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B80755 push cs; ret 0_2_02B80761
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F75EAF pushfd ; ret 0_2_02F75EB0
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F7609C pushfd ; ret 0_2_02F7609D
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F78D1D pushfd ; ret 0_2_02F78D1E
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A908EB pushad ; iretd 4_2_02C991C8
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A91E20 push eax; ret 4_2_02A91E21
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8E87E push eax; ret 4_2_02A8E87F
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8DE56 push ecx; ret 4_2_02A8DE5B
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8DA56 push es; ret 4_2_02A8DA57
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8DD87 pushfd ; ret 4_2_02A8DD88
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A90B32 push esp; ret 4_2_02A90B3A
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8E974 push eax; ret 4_2_02A8E980
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A91755 push cs; ret 4_2_02A91761
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E85EAF pushfd ; ret 4_2_02E85EB0
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E8609C pushfd ; ret 4_2_02E8609D
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E88D1D pushfd ; ret 4_2_02E88D1E
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Contain functionality to detect virtual machines
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai 0_2_02F95267
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai 0_2_02F951B7
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai 4_2_02EA5267
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai 4_2_02EA51B7
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESSBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLDNSMESSAGE.E2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEHTTPS_PROXYI/O TIMEOUTLOCAL ERRORLOST MCACHEMSPANMANUALMETHODARGS(MICROSECONDMILLISECONDMOVE %S: %WMSWSOCK.DLLNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SRAW-CONTROLREFLECT.SETRETRY-AFTERRUNTIME: P RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=191WININET.DLLWUP_PROCESS (SENSITIVE) [RECOVERED] ALLOCCOUNT FOUND AT *( GCSCANDONE M->GSIGNAL= MINTRIGGER= NDATAROOTS= NSPANROOTS= PAGES/BYTE
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD SPAN STATEBAD STACK SIZEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEEXIT STATUS -1FILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATENEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOBFS4PROXY.EXEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREMOVE APP: %WRUNTIME: BASE=RUNTIME: FULL=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0X509IGNORECN=1XENSERVICE.EXEZERO PARAMETER WITH GC PROG
                Source: WER9Fz381n.exeBinary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETESTING KEYTTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVT_RESERVEDVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEALARM CLOCKAPPLICATIONBAD ADDRESS
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened / queried: VBoxGuestJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened / queried: VBoxTrayIPCJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened / queried: \pipe\VBoxTrayIPCJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02FC0957 rdtsc 0_2_02FC0957
                Source: C:\Users\user\Desktop\WER9Fz381n.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                Source: WER9Fz381n.exeBinary or memory string: falsefaultfloatgcinggeoiphttpsimap2imap3imapsint16int32int64matchmkdirmonthntohsobfs4panicparsepgdsepop3sproxyrangermdirrouterune sdsetsleepslicesockssse41sse42ssse3text/tls13tls: torrctotaluint8usageuser=utf-8valuevmusbvmx86write (MB) Value addr= base code=
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: entersyscallexit status failed to %wfound av: %sgcpacertracegetaddrinfowgot TI tokenguid_machinehost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmsftedit.dllnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wpointtopointproxyconnectreflect.Copyreleasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmVT_ARRAYVT_BYREFWSAIoctlWinmonFSWmiPrvSE[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs default:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterf is nilfinishedfs go1.13.3gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountvolmsvmmoufno anodeno-cacheno_proxyopPseudoraw-readreadfromrecvfromrunnableruntime.scavengeshutdownstrconv.taskkilltor_modeunixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservyuio.top (forced) blocked= defersc= in use)
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: svchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeMicrosoft Windows 10 ProS-1-5-21-2246122658-3693405117-2476756634-1003FirstInstallDateIntel(R) Core(TM)2 CPU 6600 @ 2.40 GHzc:\users\user\desktop\wer9fz381n.exe"C:\Users\user\Desktop\WER9Fz381n.exe" c:\users\user\desktop\wer9fz381n.exeintel(r) core(tm)2 cpu 6600 @ 2.40 ghzcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exesvchost.exectfmon.exesvchost.exeexplorer.exesvchost.exesvchost.exesvchost.exedasHost.exesvchost.exedllhost.exesvchost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.execonhost.exesppsvc.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exesvchost.exesvchost.exespoolsv.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesihost.exesvchost.exesvchost.exesvchost.exesvchost.exectfmon.exesvchost.exeexplorer.exesvchost.exesvchost.exesvchost.exedasHost.exesvchost.exedllhost.exesvchost.exesvchost.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.execonhost.exesppsvc.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exevm detected: vmware: service: vmciC:\Users\user\Desktop\WER9Fz381n.exeC:\Users\user\Desktop\WER9Fz381n.exe.text
                Source: WER9Fz381n.exeBinary or memory string: falsefaultfloatgcinggeoiphttpsimap2imap3imapsint16int32int64matchmkdirmonthntohsobfs4panicparsepgdsepop3sproxyrangermdirrouterune sdsetsleepslicesockssse41sse42ssse3text/tls13tls: torrctotaluint8usageuser=utf-8valuevmusbvmx86write (MB) Value addr= base code=
                Source: WER9Fz381n.exeBinary or memory string: word:][signal \\.\HGFS\\.\vmcistack=[_NewEnumacceptexaddress bad instcgocheckcs default:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp exporterf is nilfinishedfs go1.13.3gs hijack
                Source: WER9Fz381n.exeBinary or memory string: typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32.dll != sweepgen (default %q) (default %v) MB released MB) workers= called from flushedWork gcscanvalid heap_marked= idlethreads= in duration in host name is nil, not nS
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CB2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vm detected: vmware: service: vmci
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseFloatPhoenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUseBridgesUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s casgstatuscmd is nilcomplex128connectiondnsapi.dlldsefix.exedwarf.Attre.keff.orgexitThreadexp mastergetsockoptgoroutine http_proxyimage/jpegimage/webpindicationinvalidptrkeep-alivemSpanInUsenanosecondno resultsnot a boolnot signedowner diedprl_cc.exeres binderres masterresumptionrune <nil>runtime: gschedtracesemacquiresend stateset-cookiesetsockoptsocks bindterminatedtracefree(tracegc()
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 2024/11/01 11:04:59 vm detected: vmware: service: vmci
                Source: WER9Fz381n.exeBinary or memory string: rTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecryption faileddownloading prox
                Source: WER9Fz381n.exeBinary or memory string: bfs4panicparsepgdsepop3sproxyrangermdirrouterune sdsetsleepslicesockssse41sse42ssse3text/tls13tls: torrctotaluint8usageuser=utf-8valuevmusbvmx86write (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s:
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemuvirtual
                Source: WER9Fz381n.exeBinary or memory string: bindterminatedtracefree(tracegc() unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ... gcwaiting= gp.status= heap_live= idleprocs= in status m->mcache= mallocing= ms clock,
                Source: WER9Fz381n.exeBinary or memory string: dhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid locationloopbackmac_addrmountvolmsvmmoufno anodeno-cacheno_proxyopPseudoraw-readreadfromrecvfromrunnableruntime.scavengeshutdownstrconv.taskkilltor_modeunixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsa
                Source: WER9Fz381n.exeBinary or memory string: FileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad
                Source: WER9Fz381n.exe, 00000000.00000002.1405574701.0000000000E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
                Source: WER9Fz381n.exeBinary or memory string: runtime.scavengeshutdownstrconv.taskkilltor_modeunixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservyuio.top (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= method: ms cpu, not in [ of type runtime= s.limit= s.state= threads= u_a/
                Source: WER9Fz381n.exeBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0x509ignoreCN=1xenservi
                Source: WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: 11VBoxSFVT(%d)WINDIRWibx@
                Source: WER9Fz381n.exeBinary or memory string: psfuncgziphosthourhttpicmpidleigmpint8jsonkindlinknonenullopenpathpipepop3quitreadsbrkseeksid=smtpsse2sse3tag:tcp4tcp6texttruetypeudp4udp6uintunixuuidvaryvmcixn-- -%s ... H_T= H_a= H_g= MB, W_a= \" and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad span statebad stack sizebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responseexit status -1file too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofilerateneed more datanil elem type!no module datano such deviceobfs4proxy.exeopen event: %wparse cert: %wprotocol errorread certs: %wremove app: %wruntime: base=runtime: full=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytimeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Microsoft Windows 10 ProHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\TestAppHKEY_USERS\S-1-5-21-2246122658-3693405117-2476756634-1003\Software\Microsoft\a839a7d7Microsoft Windows 10 ProEastern Standard Time2024/11/01 11:04:59 vm detected: vmware: service: vmci
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: NonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vm+detected%3A+vmware%3A+service%3A+vmci
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &gt;&lt;'\'') = ) m=+Inf+inf, n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThaiUUIDWEST"%s"\rss\smb\u00
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: systemvboxtray.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> any -> booleancharsetchunkedcmd.execonnectconsolecpu: %sderiveddriversexpiresfloat32float64gctracehttp://invalidlog.txtlookup max-agemessagenil keynop -> number panic: refererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwsarecvwsasendwup_verxen: %wxennet6 data=%q etypes goal
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: underflowunhandledunzip Torunzip: %ww3m/0.5.1websocketxenevtchn} stack=[ MB goal, actual
                Source: WER9Fz381n.exeBinary or memory string: InformationSetVolumeMountPointWSetupDiOpenDevRegKeyTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad syste
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNonTransitionalNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePartial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
                Source: WER9Fz381n.exe, 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: ewaPINGPOSTQEMUROOTG
                Source: WER9Fz381n.exeBinary or memory string: releasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32
                Source: WER9Fz381n.exeBinary or memory string: ashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThaiUUIDWEST"%s"\rss\smb\u00 %+v m=] n=archasn1avx2basebindbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagfailfilefromf
                Source: WER9Fz381n.exe, 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: hgfsO
                Source: WER9Fz381n.exe, 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: main.isRunningInsideVMWare
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CB2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: useruser-PCC:\Windows\system32\kernel32.dllC:\Users\user\Desktop\WER9Fz381n.exeSELECT Caption FROM Win32_OperatingSystem\\.\VBoxMiniRdrDN\\.\pipe\VBoxMiniRdDN\\.\pipe\VBoxTrayIPCcsrss.exewininit.execsrss.exewinlogon.exeservices.exelsass.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe93b62ac7-5555-49b6-9788-02d52105fd16vm detected: vmware: service: vmci
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SearchApp.exesearchapp.exesvchost.exedllhost.exesvchost.exesvchost.exeWmiPrvSE.exewmiprvse.exewinstore.app.exeWmiPrvSE.exewmiprvse.exeWmiPrvSE.exewmiprvse.execonhost.exesppsvc.exeupfc.exesvchost.exesgrmbroker.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedllhost.exesvchost.exewer9fz381n.exevmci$
                Source: WER9Fz381n.exeBinary or memory string: rayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTra
                Source: WER9Fz381n.exeBinary or memory string: usageuser=utf-8valuevmusbvmx86write (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PL
                Source: WER9Fz381n.exeBinary or memory string: rnateUSE-CANDIDATEUsage of %s: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VBoxSF$
                Source: WER9Fz381n.exeBinary or memory string: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai
                Source: WER9Fz381n.exeBinary or memory string: truetypeudp4udp6uintunixuuidvaryvmcixn-- -%s ... H_T= H_a= H_g= MB, W_a= \" and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp
                Source: WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: yvmcixn-Re-
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
                Source: WER9Fz381n.exeBinary or memory string: 11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdomaindwarf.efenceempty exec: expectfamilygeoip6gopherhangupheaderip+netkilledlistenminutenumberobjectpopcntreadatreasonremoverenamerun-v3rune1 scvg: secondsecure
                Source: WER9Fz381n.exeBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredUninstallerVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad address
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: m=] n=archasn1avx2basebindbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpint8jsonkindlinknonenullopenpathpipepop3quitreadsbrkseeksid=smtpsse2sse3tag:tcp4tcp6texttruetypeudp4udp6uintunixuuidvaryvmcixn-- -%s ...
                Source: WER9Fz381n.exeBinary or memory string: basebindbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagfailfilefromftpsfuncgziphosthourhttpicmpidleigmpint8jsonkindlinknonenullopenpathpipepop3quitreadsbrkseeksid=smtpsse2sse3tag:tcp4tcp6texttruetypeudp4udp6uintunixuuidvaryvmcixn-- -%
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 100-continue127.0.0.1:%d152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransitionalTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecryption faileddownloading proxyelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysembedded/EULA.txtentersyscallblockexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of removing watchdogruntime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff s.callback is nilscanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:start service: %wthread exhaustiontransfer-encodingtruncated headersunknown caller pcvalidate hash: %wwait for GC cyclewine_get_version
                Source: WER9Fz381n.exeBinary or memory string: oenicianProcessingPulseEventRST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUseBridgesUser-AgentVMSrvc.exeVT_ILLEGALWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware: service: vmci
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: build_number=19045&campaign_id=%2F407&distributor_id=407&machine_guid=9e146be9-c76a-4720-bcdb-53011b87bd06&reason=vm+detected%3A+vmware%3A+service%3A+vmci&version=191
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= ErrCode=%v a.npages= b.npages= bytes ...
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: winstore.app.exevboxtray.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: service: vmcicsrss
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: [system process]vboxtray.exe
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Value is nullVirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptyemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflatehttp2client=0if-none-matchimage/svg+xmlinvalid UTF-8invalid base kernel32.dllkey expansionlast-modifiedlevel 3 resetload64 failedmaster secretname is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeread EULA: %wrebooting nowscvg: inuse: service stateset event: %wsigner is nilsocks connectsrmount errorstill in listtimer expiredtrailing datatriggerRatio=unimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: to unallocated span$WINDIR\watchdog.exe%%!%c(*big.Float=%s)%s\Sysnative\cmd.exe37252902984619140625Arabic Standard TimeAzores Standard TimeCertFindChainInStoreCertOpenSystemStoreWChangeServiceConfigWCheckTokenMembershipCreateProcessAsUserWCryptAcquireContextWEgyptian_HieroglyphsEnumProcessModulesExFileTimeToSystemTimeGetAcceptExSockaddrsGetAdaptersAddressesGetCurrentDirectoryWGetFileAttributesExWGetModuleFileNameExWGetModuleInformationGetProcessMemoryInfoGetWindowsDirectoryWIDS_Trinary_OperatorInsufficient StorageIsrael Standard TimeJordan Standard TimeMAX_HEADER_LIST_SIZEMalformed JSON errorMediapartners-GoogleMeroitic_HieroglyphsNtSetInformationFileNtUnmapViewOfSectionNtWriteVirtualMemoryOffline Explorer/2.5ProcessIdToSessionIdQueryServiceConfig2WQueryServiceStatusExRegisterEventSourceWRequest URI Too LongRtlInitUnicodeStringSHGetKnownFolderPathSafeArrayDestroyDataSafeArrayGetElemsizeSeek: invalid offsetSeek: invalid whenceSetCurrentDirectoryWSetHandleInformationSetVolumeMountPointWSetupDiOpenDevRegKeyTaipei Standard TimeTerminal_PunctuationTurkey Standard TimeUnprocessable EntityWinmonProcessMonitor[invalid char class]\\.\pipe\VBoxTrayIPCasn1: syntax error: bad defer size classbad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpchan send (nil chan)close of nil channelconnection error: %sconnection timed outcouldn't disable DSEcouldn't get IsAdmincouldn't get serverscouldn't run servicecouldn't set IsAdmincouldn't set serverscouldn't stop PsaSvccouldn't write patchcreate proxy dir: %wcreate text edit: %wdecode siganture: %wdecode signature: %welectrum.bitkoins.nlelectrum.hsmiths.comelectrum.taborsky.czelectrum.villocq.comevent message is nilflag: help requestedfloating point errorforcegc: phase errorgc_trigger underflowget transactions: %wgetadaptersaddressesgo of nil func valuegopark: bad g statusgzip: invalid headerheader line too longhttp2: stream closedinvalid repeat countinvalid request codeis a named type filejson: Unmarshal(nil json: Unmarshal(nil)key has been revokedmSpanList.insertBackmalformed ciphertextmalloc during signalmove GeoIP files: %wmove Tor GeoIP filesno such struct fieldnon-empty swept listnorm: invalid whencenot an integer classnotetsleep not on g0number has no digitsp mcache not flushedpacer: assist ratio=pad length too largepreempt off reason: reflect.Value.SetIntreflect.makeFuncStubrequest file CDN: %wroot\SecurityCenter2runtime: casgstatus runtime: double waitruntime: unknown pc semaRoot rotateRightstun.ipfire.org:3478systemdrive is emptytime: invalid numbertrace: out of memoryunexpected network: unknown address typeunsupported arch: %suser is not an adminvalue is not presentwirep: already in goworkbuf is not emptywrite of Go pointer ws2_32.dll not foundzlib: invalid header gp.gcscanvalid=true
                Source: WER9Fz381n.exeBinary or memory string: runtime.scavengeshutdownstrconv.taskkilltor_modeunixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservyuio.top (forced) blocked= defersc= in use) lockedg= lockedm= m->curg= method: ms cpu, not in [ of type runtime= s.limit= s.state= threads= u_a/
                Source: WER9Fz381n.exe, 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \\.\HGFS`
                Source: WER9Fz381n.exe, 00000004.00000002.1444299041.0000000000DA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: *struct { BuildNumber string }vm+detected%3A+vmware%3A+service%3A+vmci/
                Source: WER9Fz381n.exeBinary or memory string: anNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (MISSING)(unknown)+infinity, newval=, oldval=-07:00:00-infinity/api/cdn?/api/poll127.0.0.1244140625: status=; Domain=Accuracy(AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]atomicor8attributeb.ooze.ccbad indirbroadcastbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0ecdsa.netempty urlfn.48.orgfodhelperfork/execfuncargs(gdi32.dllimage/gifimage/pnginterfaceinterruptipv6-icmplocalhostmSpanDeadmSpanFreemulticastnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqprintableprotocol proxy.exepsapi.dllraw-writereboot inrecover: reflect: rwxrwxrwxsucceededtask %+v
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CAE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CoCreateInstanceConnectServerkernel32.dllGetUserDefaultLCIDoleaut32.dllExecQuerySysAllocStringLen_NewEnumVBoxMouseVBoxVideo\\.\VBoxGuest\\.\VBoxTrayIPC[System Process]vgauthservice.exeSystemvgauthservice.exeRegistryvgauthservice.exesmss.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exefontdrvhost.exevgauthservice.exefontdrvhost.exevgauthservice.exevgauthservice.exevgauthservice.exedwm.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeMemory Compressionmemory compressionvgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exevgauthservice.exeFri, 01 Nov 2024 15:05:00 GMTtext/html; charset=utf-8no-store, max-age=0sec-ch-prefers-color-schemesec-ch-prefers-color-schemesec-ch-prefers-color-scheme
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CD2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Tadvapi32.dllRegQueryValueExWServiceVersionServersVersionDistributorIDCampaignIDOSCaptionMicrosoft Windows 10 ProOSArchitecture64-bitPatchTimeBW3L8KKc:\windows\rss\csrss.exeGetTimeZoneInformationEastern Standard Time2024/11/01 11:04:57 OpenProcessTokenGetTokenInformationS-1-5-18c:\windows\rss\csrss.exeCreateToolhelp32Snapshot[System Process]SystemRegistrysmss.exefontdrvhost.exefontdrvhost.exedwm.exeMemory Compressionmemory compressionOfficeClickToRun.exeofficeclicktorun.exeStartMenuExperienceHost.exestartmenuexperiencehost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exesmartscreen.exeApplicationFrameHost.exeapplicationframehost.exeWinStore.App.exeRuntimeBroker.exeruntimebroker.exeTextInputHost.exetextinputhost.exebackgroundTaskHost.exebackgroundtaskhost.exeRuntimeBroker.exeruntimebroker.exeRuntimeBroker.exeruntimebroker.exeupfc.exeSgrmBroker.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUnvh.exefhtgnsqsiunvh.exefhTGNsQSiUn
                Source: WER9Fz381n.exeBinary or memory string: GOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\c
                Source: WER9Fz381n.exe, 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenToo Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDNbad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecryption faileddownloading proxyelectrumx.soon.itembedded/%s32.sysembedded/%s64.sysembedded/EULA.txtentersyscallblockexec format errorexec: not startedexponent overflowfile URL is emptyfractional secondgp.waiting != nilhandshake failureif-modified-sinceillegal parameterimpersonation: %win string literalindex > windowEndinteger too largeinvalid bit size invalid stream IDkey align too biglibwww-perl/5.820locked m0 woke upmark - bad statusmarkBits overflowmissing closing )missing closing ]missing extensionnil resource bodyno data availablenotetsleepg on g0permission deniedpseudo-device: %sread revision: %wreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of removing watchdogruntime.newosprocruntime: a.base= runtime: b.base= runtime: nameOff runtime: next_gc=runtime: pointer runtime: textOff runtime: typeOff s.callback is nilscanobject n == 0seek at 0x%0x: %wseeker can't seekselect (no cases)stack: frame={sp:start service: %wthread exhaustiontransfer-encodingtruncated headersunknown caller pcvalidate hash: %wwait for GC cyclewine_get_versionwrong medium type but memory size because dotdotdot to non-Go memory $SYSTEMDRIVE\Users, locked to thread298023223876953125: day out of rangeArab Standard TimeAsset %s not foundCM_MapCrToWin32ErrCaucasian_AlbanianCertGetNameStringWCloseServiceHandleCommandLineToArgvWCreateCompatibleDCCreateDispTypeInfoCreateFileMappingWCreateRemoteThreadCreateWellKnownSidCryptUnprotectDataCuba Standard TimeELinks/0.12~pre5-4EnumProcessModulesExpectation FailedFLOW_CONTROL_ERRORFiji Standard TimeGetBestInterfaceExGetComputerNameExWGetCurrentThreadIdGetExitCodeProcessGetFileAttributesWGetModuleBaseNameWGetModuleFileNameWGetModuleHandleExWGetSidSubAuthorityGetUserDefaultLCIDGetVolumePathNameWGo-http-client/1.1Go-http-client/2.0HKEY_LOCAL_MACHINEInternetSetOptionWIran Standard TimeKey path not foundLookupAccountNameWMakeSelfRelativeSDMethod Not AllowedNtSetContextThreadOmsk Standard TimePASSWORD-ALGORITHMPFXImportCertStorePermanent RedirectProxy-AuthenticateQueryServiceStatusRCodeServerFailureRFS specific errorRegional_IndicatorRoAc
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilAttr(BamumBatakBuhidCall CountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSTermTakriTamilTypeAUUID=\u202allowarraybad nchdirclosecsrssfalsefaultfloatgcinggeoiphttpsimap2imap3imapsint16int32int64matchmkdirmonthntohsobfs4panicparsepgdsepop3sproxyrangermdirrouterune sdsetsleepslicesockssse41sse42ssse3text/tls13tls: torrctotaluint8usageuser=utf-8valuevmusbvmx86write (MB)
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: service: vmci
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTESTING KEYTTL expiredUninstallerVBoxServiceVMUSrvc.exeVT_RESERVEDVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exealarm clockapplicationbad addressbad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlldnsmessage.e2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknamehttps_proxyi/o timeoutlocal errorlost mcachemSpanManualmethodargs(microsecondmillisecondmove %s: %wmswsock.dllnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sraw-controlreflect.Setretry-afterruntime: P runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=191wininet.dllwup_process (sensitive) [recovered] allocCount found at *( gcscandone m->gsignal= minTrigger= nDataRoots= nSpanRoots= pages/byte
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: acceptactivechan<-closedcookiedirectdomaindwarf.efenceempty exec: expectfamilygeoip6gopherhangupheaderip+netkilledlistenminutenumberobjectpopcntreadatreasonremoverenamerun-v3rune1 scvg: secondsecureselectsendtoserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D26000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: build_number=19045&campaign_id=%2F407&distributor_id=407&machine_guid=9e146be9-c76a-4720-bcdb-53011b87bd06&reason=vm+detected%3A+vmware%3A+service%3A+vmci&version=191R
                Source: WER9Fz381n.exeBinary or memory string: usageuser=utf-8valuevmusbvmx86write (MB) Value addr= base code= ctxt: curg= goid jobs= list= m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...) , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PL
                Source: WER9Fz381n.exeBinary or memory string: electsendtoserversocketsocks socks5statusstringstructsweep telnetuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> dying= flags= len=%d locks= m->g0= nmsys= s=nil $WINDIR%03d %s%v: %#x, goid=, si
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.Pointervirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0x509ignoreCN=1xenservice.exezero parameter with GC prog
                Source: WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiBridgeCANCELCancelCarianChakmaClass(CommonCookieCopticDELETEExpectFltMgrFormatFridayGOAWAYGOROOTGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFVT(%d)WINDIRWinMonWinmon[]byte\??\%s\csrss\ufffd
                Source: WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CDC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CloseHandleS-1-5-18nehalemkvmqemuvirtualpersoconProcess32FirstW[system process]vboxtray.exevboxservice.exeProcess32NextWSystemsystemvboxtray.exevboxservice.exeRegistryregistry
                Source: WER9Fz381n.exeBinary or memory string: truetypeudp4udp6uintunixuuidvaryvmcixn-- -%s ... H_T= H_a= H_g= MB, W_a= \" and h_a= h_g= h_t= max= ptr siz= tab= top= u_a= u_g=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, ..., fp:-0930.html.jpeg.wasm.webp
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02FC0957 rdtsc 0_2_02FC0957
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02B7B0A3 push dword ptr fs:[00000030h]0_2_02B7B0A3
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F70D90 mov eax, dword ptr fs:[00000030h]0_2_02F70D90
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 0_2_02F7092B mov eax, dword ptr fs:[00000030h]0_2_02F7092B
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02A8C0A3 push dword ptr fs:[00000030h]4_2_02A8C0A3
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E8092B mov eax, dword ptr fs:[00000030h]4_2_02E8092B
                Source: C:\Users\user\Desktop\WER9Fz381n.exeCode function: 4_2_02E80D90 mov eax, dword ptr fs:[00000030h]4_2_02E80D90
                Source: C:\Users\user\Desktop\WER9Fz381n.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\WER9Fz381n.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Glupteba
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.2f70e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.2e80e67.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7480, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Glupteba
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.2f70e67.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.WER9Fz381n.exe.37f0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.WER9Fz381n.exe.3700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.WER9Fz381n.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.WER9Fz381n.exe.2e80e67.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7264, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: WER9Fz381n.exe PID: 7480, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		12
                Virtualization/Sandbox Evasion                		OS Credential Dumping241
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory12
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Deobfuscate/Decode Files or Information                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                Obfuscated Files or Information                		NTDS3
                System Information Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Software Packing                		LSA SecretsInternet Connection DiscoverySSHKeylogging1
                Proxy                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                WER9Fz381n.exe84%ReversingLabsWin32.Trojan.Lockbit
                WER9Fz381n.exe100%AviraHEUR/AGEN.1303615
                WER9Fz381n.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0017.t-0009.t-msedge.net
                		13.107.246.45
                		truefalse
                  		unknown
                  trythisgid.com
                  		46.8.8.100
                  		truefalse
                    		unknown
                    63214.bodis.com
                    		199.59.243.227
                    		truefalse
                      		unknown
                      ww82.trythisgid.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ww82.trythisgid.com/false
                          		unknown
                          https://trythisgid.com/app-install-failurefalse
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://search.msn.com/msnbot.htm)net/http:WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                              		unknown
                              http://help.yahoo.com/help/us/yseaWER9Fz381n.exefalse
                                		unknown
                                http://invalidlog.txtlookupWER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		unknown
                                  http://search.msn.com/msnbot.htm)msnbot/1.1WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                    		unknown
                                    http://search.msn.com/msnWER9Fz381n.exefalse
                                      		unknown
                                      http://gais.cs.ccu.edu.tw/robot.php)GulperWER9Fz381n.exefalse
                                        		unknown
                                        https://raw.githubusercontent.cWER9Fz381n.exefalse
                                          		unknown
                                          http://www.google.com/bot.html)tls:WER9Fz381n.exefalse
                                            		unknown
                                            http://www.spidersoft.com)Wget/1.9WER9Fz381n.exefalse
                                              		unknown
                                              http://www.archive.org/details/archive.org_bot)Opera/9.80WER9Fz381n.exefalse
                                                		unknown
                                                http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                  		unknown
                                                  http://yandex.com/bots)Opera/9.51WER9Fz381n.exefalse
                                                    		unknown
                                                    http://www.google.com/bot.html)Mozilla/5.0WER9Fz381n.exefalse
                                                      		unknown
                                                      http://www.google.com/bot.hWER9Fz381n.exefalse
                                                        		unknown
                                                        http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionWER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CBE000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1407844983.0000000013CF2000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF2000.00000004.00001000.00020000.00000000.sdmptrue
                                                          		unknown
                                                          http://https://_bad_pdb_file.pdbWER9Fz381n.exe, 00000000.00000002.1406450301.00000000035EB000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000000.00000003.1387384767.0000000003E6A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003D7A000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1445502886.00000000034FB000.00000040.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://archive.org/details/archive.org_bot)Mozilla/5.0WER9Fz381n.exefalse
                                                              		unknown
                                                              https://www.google.comWER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D82000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013D6E000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://devlog.gregarius.net/docs/ua)LinksWER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                  		unknown
                                                                  http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequencyWER9Fz381n.exefalse
                                                                    		unknown
                                                                    http://www.bloglines.com)FWER9Fz381n.exefalse
                                                                      		unknown
                                                                      https://cdn.discordapp.com/attachments/1023299088751538198/1023549843135795230/toWER9Fz381n.exefalse
                                                                        		unknown
                                                                        http://www.alltheweb.com/help/webmaster/crawler)POLARIS/6.01(BREWWER9Fz381n.exefalse
                                                                          		unknown
                                                                          http://www.google.com/feedfetcher.html)HKLMWER9Fz381n.exefalse
                                                                            		unknown
                                                                            http://grub.org)Mozilla/5.0WER9Fz381n.exefalse
                                                                              		unknown
                                                                              http://crl.gWER9Fz381n.exe, 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://blockchain.infoindexWER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                                  		unknown
                                                                                  http://search.msWER9Fz381n.exefalse
                                                                                    		unknown
                                                                                    http://yandex.com/bots)Opera/9.80WER9Fz381n.exefalse
                                                                                      		unknown
                                                                                      https://trythisgid.com/app-install-failureinsufficientWER9Fz381n.exefalse
                                                                                        		unknown
                                                                                        https://turnitin.com/robot/crawlerinfo.html)gentracebackWER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.avantbrowser.com)MOT-V9mm/00.62WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.exabot.com/go/robot)Opera/9.80WER9Fz381n.exetrue
                                                                                              		unknown
                                                                                              https://blockstream.info/apiinvalidWER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                                                		unknown
                                                                                                http://search.msn.com/msnbot.htm)pkcs7:WER9Fz381n.exe, WER9Fz381n.exe, 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, WER9Fz381n.exe, 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onion9e146be9-c76a-4720-bcdb-53011b8WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CF0000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                    		unknown
                                                                                                    http://www.alexa.com/help/webmasters;WER9Fz381n.exefalse
                                                                                                      		unknown
                                                                                                      http://www.google.com/adsbot.html)EncounteredWER9Fz381n.exefalse
                                                                                                        		unknown
                                                                                                        https://cdn.discordapp.com/attachments/925779512644497442/933676145558310953/obfs4proxy.exehttps://gWER9Fz381n.exefalse
                                                                                                          		unknown
                                                                                                          http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.oniontWER9Fz381n.exetrue
                                                                                                            		unknown
                                                                                                            http://www.googlebot.com/bot.html)LinksWER9Fz381n.exefalse
                                                                                                              		unknown
                                                                                                              http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionhttp://dg2sz7pxs7llf2t25fsbutlvWER9Fz381n.exe, 00000000.00000002.1407844983.0000000013C58000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                                		unknown
                                                                                                                http://dg2sz7pxs7llf2t25fsbutlvvrjij4pmojugn75cmxnvoshmju6dzcad.onionS-1-5-21-2246122658-3693405117-WER9Fz381n.exe, 00000004.00000002.1446483656.0000000013CE4000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                                  		unknown
                                                                                                                  http://ww82.trythisgid.com/FriWER9Fz381n.exe, 00000004.00000002.1446483656.0000000013C10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    199.59.243.227
                                                                                                                    		63214.bodis.comUnited States
                                                                                                                    		395082BODIS-NJUSfalse
                                                                                                                    46.8.8.100
                                                                                                                    		trythisgid.comRussian Federation
                                                                                                                    		60592GRANSYGransysrohttpgransycomCZfalse

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                    Analysis ID:1546806
                                                                                                                    Start date and time:2024-11-01 16:03:47 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 41s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Sample name:WER9Fz381n.exe
                                                                                                                    renamed because original name is a hash value
                                                                                                                    Original Sample Name:40d22787e79f76e54bfeb359822a4b3ad8e6bef6.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winEXE@2/0@2/2
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 93%
                                                                                                                    • Number of executed functions: 9
                                                                                                                    • Number of non-executed functions: 13
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, TrustedInstaller.exe
                                                                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • VT rate limit hit for: WER9Fz381n.exe

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    11:04:54API Interceptor8x Sleep call for process: WER9Fz381n.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    199.59.243.227SALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.9net88.net/ge07/?AZFdK=5jGt1VUhS4spDnR&bb=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID
                                                                                                                    draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.deepfy.xyz/t7p4/
                                                                                                                    VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.662-home-nb.shop/90v4/
                                                                                                                    NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.rebel.tienda/7n9v/
                                                                                                                    SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.migraine-massages.pro/ym43/?1Do0qp=lxK8zDwlVeZA0KFinmdrczEoh9foX2bLCYsrgBVnd1hBfzxarUrY7JsYsrWqjgtO371UEdIqaCaBOhfuQGtRaIpZZY1Y+O2jmybRXdJyK6xs6rkJOg==&yNNX=snRp
                                                                                                                    #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.migraine-massages.pro/ym43/
                                                                                                                    18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.rebel.tienda/7n9v/
                                                                                                                    WARUNKI UMOWY-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                    • www.allforai.xyz/puo4/
                                                                                                                    Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.297676.com/xyex/
                                                                                                                    Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.297676.com/xyex/
                                                                                                                    46.8.8.100KQC5T1LP0k.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • yosoborno.com/tmp/
                                                                                                                    MxWl2JFzf6.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • yosoborno.com/tmp/
                                                                                                                    Tp4eSq3Ism.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • yosoborno.com/tmp/
                                                                                                                    942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                                    • ksandrafashion.com/logo.gif?459eef=27376026
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • visit.keznews.com/
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • visit.keznews.com/
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • visit.keznews.com/
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100/
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100/
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100/

                                                                                                                    Domains

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    s-part-0017.t-0009.t-msedge.nethttps://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/mario.caligiuri@edmontonpolice.caGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    Zvti64xXTP.exeGet hashmaliciousNeshtaBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    rU7laIXI5D.exeGet hashmaliciousBlihan StealerBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    https://cruparcellaire-my.sharepoint.com/:u:/g/personal/dani_grandrcu_com/EXbdq1Yt-JxPlSgSPVHn69cB5_tprGzujznxzQ6i7mvvHA?e=6rgxHk&xsdata=MDV8MDJ8c2hhbm5vbi5wZW5uaW5ndG9uQGRlbm9yYS5jb218ODc2ZTM4NWQ3ZGI5NGM3MTA1MGQwOGRjZmE1Y2RjMDR8ZGIwYjk4ZTFlMjVkNDgzNWI3YzAxODE3MzZlNGQ3YmJ8MHwwfDYzODY2MDUyNDY3ODM3OTYwOXxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18NDAwMDB8fHw%3d&sdata=ZGptdWdxOStnMWRSMzJwUXhzSVJYYVZWZm02QjdSeFlkNlF0K1FJSjFiND0%3dGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    https://hotmail.cdisaomiguel.com.brGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    https://tas-pe.com/ahowe@europait.net#ahowe@europait.netGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    https://us.pbe.encryption.symantec.com/login.html?msgUserId=13963009e4fab12e&enterprise=questdiagnostics&rrRegcode=9hfnDzwZ&locale=en_USGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/bill.wafford@qurateretail.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    http://mailsystem.clubreadymail.com/ls/click?upn=u001.dtlwkBC06DNvwxOIDozee7JfaEFoikK29eANg7C1JNJcXhZ5gVX-2FXngetD1DVBofJAdCxJYPz79KkHjQ4a88CWk3uwk0LHTd-2BQuqz7QlX5FT8W9oRLmLCtzSTX4k0IZqtxXd_tqQENWc9xFqnCCp3iHBun6Ny8Hr4S4LXflP5eWCRCPqMvoWfGV9u-2FwKqzOzsMAx2mMZTD10t6F-2Fa-2BzGZBzV05lc-2BTr9aqg9-2BqytIbVadpFenaHQ0v-2BIdTTiMe-2F-2BfHHsBDK3wAuPgwhtkcw4b5gAaeO6jGph7EzccXK6qZ9q3RXZcEXV8nVUtJyrcSCDmB-2Bn3qJnRr0-2BMlZvtkB3QnuJkj-2BigNgcTK7oh9PPlXl-2FakX6q-2BsTqF4DIEpeEYAXLd3sTGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                    • 13.107.246.45
                                                                                                                    63214.bodis.comhttp://ww82.www.gg/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    https://www.mynewsbreak.me/redirect-v2?originalUrl=aHR0cHM6Ly90cmFjay5oZWFsdGh5am9pbnRhaWQuY29tL2YwYmIzYjZlLWEyZjktNDBiYy1hZTNiLWQ0YmI5NzE0OTBlNT9jYW1wYWlnbmlkPTE3OTgzMTc0Mjk5OTAxMDUwODkmZmxpZ2h0aWQ9MTc5ODMxODI1NDM3OTExNDQ5NyZjcmVhdGl2ZWlkPTE3OTgzMjIxNzg0MjQ1NzgwNDkmdGlkPW5ld3NicmVha18xNzk4MzE3NDI5OTkwMTA1MDg5XzE3OTgzMTgyNTQzNzkxMTQ0OTdfMTc5ODMyMjE3ODQyNDU3ODA0OSZjbGlja2lkPW52c3NfMDkyODBlYmFmNTEwNDgyZmJkZGRkZjg4N2VhOWE0ZThfMTc5ODMyMjE3ODQyNDU3ODA0OSZpc19ub3ZhPXRydWUmbmJfY2lkPTA5MjgwZWJhZjUxMDQ4MmZiZGRkZGY4ODdlYTlhNGU4XzE3OTgzMjIxNzg0MjQ1NzgwNDk%3D&bucket=dmg_local_email_bucket_18&message_id=qk4YypJ-1SsY65wP&tag=subscribed&exps=nl_bucket_exp_24_2-v3%2Cnl_monetization_24_2-control%2Cnl_prerollout_24_2-v1%2Cnova_traffic_exp_full_09-v26&event_name=emailLinkClick&hashed_email=bb7f633dc30a2a97e85bd33fed777bd2a3f9c2541b52eb64ff345914e50393a5&email_domain=minotsbs.com&meta=eyJzdWJzX3RvcGljIjogImxvY2FsIiwgImZyZXEiOiAiZGFpbHkiLCAic2VuZF90cyI6IDE3MjA5NTkxNzcsICJsaW5rIjogIlNzS3hBQUJpIiwgInBvcyI6ICJsb2dvIiwgImFkX2lkIjogIjE3OTgzMjIxNzg0MjQ1NzgwNDkiLCAibm92YV9zbmFwc2hvdF9pZCI6ICIwOTI4MGViYWY1MTA0ODJmYmRkZGRmODg3ZWE5YTRlOF8xNzk4MzIyMTc4NDI0NTc4MDQ5In0%3DGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.226
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.226
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.226
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.225
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.225
                                                                                                                    http://46.8.8.100Get hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.225
                                                                                                                    https://cdnperf-test.innertest.top/500b-bench.jpgGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.225
                                                                                                                    http://ulssbl.itGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.225
                                                                                                                    http://visit.keznews.comGet hashmaliciousUnknownBrowse
                                                                                                                    • 199.59.243.222
                                                                                                                    trythisgid.comcsrss.bin.exeGet hashmaliciousGluptebaBrowse
                                                                                                                    • 104.21.54.11

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    GRANSYGransysrohttpgransycomCZhttp://puzzlewood.netGet hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    KQC5T1LP0k.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    MxWl2JFzf6.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    Tp4eSq3Ism.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    http://vidaliaonion.orgGet hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    LisectAVT_2403002C_119.exeGet hashmaliciousBdaejec, SodinokibiBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    https://www.mynewsbreak.me/redirect-v2?originalUrl=aHR0cHM6Ly90cmFjay5oZWFsdGh5am9pbnRhaWQuY29tL2YwYmIzYjZlLWEyZjktNDBiYy1hZTNiLWQ0YmI5NzE0OTBlNT9jYW1wYWlnbmlkPTE3OTgzMTc0Mjk5OTAxMDUwODkmZmxpZ2h0aWQ9MTc5ODMxODI1NDM3OTExNDQ5NyZjcmVhdGl2ZWlkPTE3OTgzMjIxNzg0MjQ1NzgwNDkmdGlkPW5ld3NicmVha18xNzk4MzE3NDI5OTkwMTA1MDg5XzE3OTgzMTgyNTQzNzkxMTQ0OTdfMTc5ODMyMjE3ODQyNDU3ODA0OSZjbGlja2lkPW52c3NfMDkyODBlYmFmNTEwNDgyZmJkZGRkZjg4N2VhOWE0ZThfMTc5ODMyMjE3ODQyNDU3ODA0OSZpc19ub3ZhPXRydWUmbmJfY2lkPTA5MjgwZWJhZjUxMDQ4MmZiZGRkZGY4ODdlYTlhNGU4XzE3OTgzMjIxNzg0MjQ1NzgwNDk%3D&bucket=dmg_local_email_bucket_18&message_id=qk4YypJ-1SsY65wP&tag=subscribed&exps=nl_bucket_exp_24_2-v3%2Cnl_monetization_24_2-control%2Cnl_prerollout_24_2-v1%2Cnova_traffic_exp_full_09-v26&event_name=emailLinkClick&hashed_email=bb7f633dc30a2a97e85bd33fed777bd2a3f9c2541b52eb64ff345914e50393a5&email_domain=minotsbs.com&meta=eyJzdWJzX3RvcGljIjogImxvY2FsIiwgImZyZXEiOiAiZGFpbHkiLCAic2VuZF90cyI6IDE3MjA5NTkxNzcsICJsaW5rIjogIlNzS3hBQUJpIiwgInBvcyI6ICJsb2dvIiwgImFkX2lkIjogIjE3OTgzMjIxNzg0MjQ1NzgwNDkiLCAibm92YV9zbmFwc2hvdF9pZCI6ICIwOTI4MGViYWY1MTA0ODJmYmRkZGRmODg3ZWE5YTRlOF8xNzk4MzIyMTc4NDI0NTc4MDQ5In0%3DGet hashmaliciousUnknownBrowse
                                                                                                                    • 46.8.8.100
                                                                                                                    BODIS-NJUSSALES ORDER875.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    VkTNb6p288.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    #10302024.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    WARUNKI UMOWY-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227
                                                                                                                    Payment&WarantyBonds.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • 199.59.243.227

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    No created / dropped files found

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                    Entropy (8bit):7.990370025161888
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                    File name:WER9Fz381n.exe
                                                                                                                    File size:4'253'224 bytes
                                                                                                                    MD5:256506e20fe6bddbe08403debd4c39cc
                                                                                                                    SHA1:40d22787e79f76e54bfeb359822a4b3ad8e6bef6
                                                                                                                    SHA256:81b8d673c51e5f98a4690c11f4f4f156349b2ab850733cbac4119c7c6ec3d804
                                                                                                                    SHA512:0a626cc31e90a755706953fbffc6f9e4cbdb1a001c2688589594094f848dea5543b0b7fcbf55e983861f477f83e13c87bd165c5085514690f700b239f7543669
                                                                                                                    SSDEEP:98304:ozPUPTTQjdPp+CX8gA6IfphzteABldSZy:oLYTTQBPZ+fpbRky
                                                                                                                    TLSH:E51633327A60C272D6264AB9C809C111C67F742B6D39238BBFDC8FE94E615D3D635683
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................(....&......................................Rich............................PE..L...X..a...........

                                                                                                                    File Icon

                                                                                                                    Icon Hash:d9c9c9596365671e

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x409346
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:true
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0x61D49958 [Tue Jan 4 19:00:40 2022 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:5
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:5
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:5
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:155a8220c3a90cd41bc56b1f2b0907bc

                                                                                                                    Authenticode Signature

                                                                                                                    Signature Valid:false
                                                                                                                    Signature Issuer:PostalCode=10407
                                                                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                    Error Number:-2146762487
                                                                                                                    Not Before, Not After
                                                                                                                    • 01/11/2022 01:18:32 01/11/2023 01:18:32
                                                                                                                    Subject Chain
                                                                                                                    • PostalCode=10407
                                                                                                                    Version:3
                                                                                                                    Thumbprint MD5:427E7770438F3A46CC172A4D169237D4
                                                                                                                    Thumbprint SHA-1:A22567D9A133EF5CE85459B9C4967E0C353B78E4
                                                                                                                    Thumbprint SHA-256:031ECF214A75393923B74F685BB21F86D40CC1E9F294C38C2007F0D3AF4F6CE9
                                                                                                                    Serial:41B4FF57774C82D5F9EADA5865302B5C

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    call 00007F740483A783h
                                                                                                                    jmp 00007F740483276Eh
                                                                                                                    mov edi, edi
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                    test eax, eax
                                                                                                                    je 00007F7404832904h
                                                                                                                    sub eax, 08h
                                                                                                                    cmp dword ptr [eax], 0000DDDDh
                                                                                                                    jne 00007F74048328F9h
                                                                                                                    push eax
                                                                                                                    call 00007F7404831E92h
                                                                                                                    pop ecx
                                                                                                                    pop ebp
                                                                                                                    ret
                                                                                                                    mov edi, edi
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                                                    push esi
                                                                                                                    mov esi, ecx
                                                                                                                    mov byte ptr [esi+0Ch], 00000000h
                                                                                                                    test eax, eax
                                                                                                                    jne 00007F7404832955h
                                                                                                                    call 00007F7404837260h
                                                                                                                    mov dword ptr [esi+08h], eax
                                                                                                                    mov ecx, dword ptr [eax+6Ch]
                                                                                                                    mov dword ptr [esi], ecx
                                                                                                                    mov ecx, dword ptr [eax+68h]
                                                                                                                    mov dword ptr [esi+04h], ecx
                                                                                                                    mov ecx, dword ptr [esi]
                                                                                                                    cmp ecx, dword ptr [0080ACA8h]
                                                                                                                    je 00007F7404832904h
                                                                                                                    mov ecx, dword ptr [0080ABC0h]
                                                                                                                    test dword ptr [eax+70h], ecx
                                                                                                                    jne 00007F74048328F9h
                                                                                                                    call 00007F7404833B01h
                                                                                                                    mov dword ptr [esi], eax
                                                                                                                    mov eax, dword ptr [esi+04h]
                                                                                                                    cmp eax, dword ptr [0080AAC8h]
                                                                                                                    je 00007F7404832908h
                                                                                                                    mov eax, dword ptr [esi+08h]
                                                                                                                    mov ecx, dword ptr [0080ABC0h]
                                                                                                                    test dword ptr [eax+70h], ecx
                                                                                                                    jne 00007F74048328FAh
                                                                                                                    call 00007F740483A9BAh
                                                                                                                    mov dword ptr [esi+04h], eax
                                                                                                                    mov eax, dword ptr [esi+08h]
                                                                                                                    test byte ptr [eax+70h], 00000002h
                                                                                                                    jne 00007F7404832906h
                                                                                                                    or dword ptr [eax+70h], 02h
                                                                                                                    mov byte ptr [esi+0Ch], 00000001h
                                                                                                                    jmp 00007F74048328FCh
                                                                                                                    mov ecx, dword ptr [eax]
                                                                                                                    mov dword ptr [esi], ecx
                                                                                                                    mov eax, dword ptr [eax+04h]
                                                                                                                    mov dword ptr [esi+04h], eax
                                                                                                                    mov eax, esi
                                                                                                                    pop esi
                                                                                                                    pop ebp
                                                                                                                    retn 0004h
                                                                                                                    mov edi, edi
                                                                                                                    push ebp
                                                                                                                    mov ebp, esp
                                                                                                                    sub esp, 14h
                                                                                                                    mov eax, dword ptr [0080A1CCh]
                                                                                                                    xor eax, ebp
                                                                                                                    mov dword ptr [ebp-04h], eax
                                                                                                                    push ebx
                                                                                                                    push esi
                                                                                                                    xor ebx, ebx

                                                                                                                    Rich Headers

                                                                                                                    Programming Language:
                                                                                                                    • [ASM] VS2008 build 21022
                                                                                                                    • [ C ] VS2008 build 21022
                                                                                                                    • [IMP] VS2005 build 50727
                                                                                                                    • [C++] VS2008 build 21022
                                                                                                                    • [RES] VS2008 build 21022
                                                                                                                    • [LNK] VS2008 build 21022

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1e6340x50.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x56c0000x41e0.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x40de000x828.data
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x12600x1c.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x42d80x40.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x10000x1fc.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x10000x1e1da0x1e2004efb6616867b72a42dff8ddde63f5c63False0.5147011151452282data6.414503164746957IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .data0x200000x54bce40x3eb6000f50383b4c7ba08d30cb89973729dae6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                    .rsrc0x56c0000x3241e00x42001a84a3634925324b6dbbd30ceeefe924unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RIWEZOZAC0x56f7000x55fASCII text, with very long lines (1375), with no line terminatorsRomanianRomania0.6203636363636363
                                                                                                                    RT_ICON0x56c3300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0RomanianRomania0.6155234657039711
                                                                                                                    RT_ICON0x56cbd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania0.6981566820276498
                                                                                                                    RT_ICON0x56d2a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania0.7326589595375722
                                                                                                                    RT_ICON0x56d8080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania0.648921200750469
                                                                                                                    RT_ICON0x56e8b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania0.6225409836065574
                                                                                                                    RT_ICON0x56f2380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania0.6764184397163121
                                                                                                                    RT_STRING0x56fde80xb6dataRomanianRomania0.554945054945055
                                                                                                                    RT_STRING0x56fea00x2fedataRomanianRomania0.4725848563968668
                                                                                                                    RT_STRING0x5701a00x3eAmigaOS bitmap font "u", 20480 elements, 2nd, 3rdRomanianRomania0.5967741935483871
                                                                                                                    RT_ACCELERATOR0x56fc600x40dataRomanianRomania0.875
                                                                                                                    RT_GROUP_ICON0x56f6a00x5adataRomanianRomania0.7222222222222222
                                                                                                                    RT_VERSION0x56fca00x148x86 executable not stripped0.6067073170731707

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    KERNEL32.dllLocalSize, InterlockedExchange, GetTickCount, GetNumaProcessorNode, GetConsoleAliasExesLengthW, EnumSystemCodePagesA, TlsGetValue, CopyFileExA, MoveFileWithProgressA, VerifyVersionInfoW, LocalUnlock, DebugBreak, GlobalGetAtomNameA, MapViewOfFileEx, GetWindowsDirectoryA, GetModuleHandleA, lstrlenW, GlobalDeleteAtom, SizeofResource, WriteConsoleInputA, CopyFileW, SetWaitableTimer, GetVersionExA, FindResourceW, OpenEventA, SearchPathA, GetComputerNameA, CallNamedPipeA, GetProcAddress, GlobalAlloc, FoldStringA, SetFileTime, GetConsoleAliasesLengthA, GetSystemWindowsDirectoryA, GetPrivateProfileStructW, GetACP, SetProcessAffinityMask, GlobalFindAtomW, VerifyVersionInfoA, CreateActCtxW, FindNextVolumeA, InterlockedIncrement, GetComputerNameW, CancelDeviceWakeupRequest, GetConsoleFontSize, InterlockedCompareExchange, GetPrivateProfileStructA, EnumCalendarInfoW, EnterCriticalSection, InterlockedDecrement, GetNamedPipeHandleStateW, AreFileApisANSI, SetLastError, WriteConsoleW, GetVolumeInformationA, GetThreadPriority, LoadLibraryW, Sleep, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, RtlUnwind, RaiseException, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapReAlloc, HeapAlloc, DeleteFileA, GetStartupInfoW, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetCPInfo, GetModuleHandleW, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, VirtualAlloc, HeapSize, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, LoadLibraryA, SetFilePointer, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA
                                                                                                                    GDI32.dllGetCharWidthA
                                                                                                                    ADVAPI32.dllSetThreadToken

                                                                                                                    Possible Origin

                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                    RomanianRomania

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2024-11-01T16:05:12.898524+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.749817TCP
                                                                                                                    2024-11-01T16:05:54.163569+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.763612TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 1, 2024 16:04:59.267848969 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.267889023 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.267972946 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.268680096 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.268691063 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.955935001 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.956214905 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.956242085 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.956870079 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.956880093 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.958421946 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:04:59.958489895 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.959719896 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.959835052 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:04:59.959837914 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.003351927 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.007819891 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:05:00.007844925 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.056022882 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:05:00.116014957 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.116091967 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.116166115 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:05:00.116265059 CET49751443192.168.2.746.8.8.100
                                                                                                                    Nov 1, 2024 16:05:00.116287947 CET4434975146.8.8.100192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.194112062 CET4976080192.168.2.7199.59.243.227
                                                                                                                    Nov 1, 2024 16:05:00.199059010 CET8049760199.59.243.227192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.199140072 CET4976080192.168.2.7199.59.243.227
                                                                                                                    Nov 1, 2024 16:05:00.199928999 CET4976080192.168.2.7199.59.243.227
                                                                                                                    Nov 1, 2024 16:05:00.204874039 CET8049760199.59.243.227192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.815834045 CET8049760199.59.243.227192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.815849066 CET8049760199.59.243.227192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.815859079 CET8049760199.59.243.227192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.815898895 CET4976080192.168.2.7199.59.243.227
                                                                                                                    Nov 1, 2024 16:05:00.856487989 CET4976080192.168.2.7199.59.243.227
                                                                                                                    Nov 1, 2024 16:05:01.971483946 CET4976080192.168.2.7199.59.243.227

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Nov 1, 2024 16:04:59.168044090 CET6364553192.168.2.71.1.1.1
                                                                                                                    Nov 1, 2024 16:04:59.264265060 CET53636451.1.1.1192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:00.117005110 CET5304953192.168.2.71.1.1.1
                                                                                                                    Nov 1, 2024 16:05:00.193084955 CET53530491.1.1.1192.168.2.7
                                                                                                                    Nov 1, 2024 16:05:15.692872047 CET53581631.1.1.1192.168.2.7

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Nov 1, 2024 16:04:59.168044090 CET192.168.2.71.1.1.10xb6faStandard query (0)trythisgid.comA (IP address)IN (0x0001)false
                                                                                                                    Nov 1, 2024 16:05:00.117005110 CET192.168.2.71.1.1.10x4af4Standard query (0)ww82.trythisgid.comA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Nov 1, 2024 16:04:48.718604088 CET1.1.1.1192.168.2.70x4f69No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Nov 1, 2024 16:04:48.718604088 CET1.1.1.1192.168.2.70x4f69No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                                    Nov 1, 2024 16:04:59.264265060 CET1.1.1.1192.168.2.70xb6faNo error (0)trythisgid.com46.8.8.100A (IP address)IN (0x0001)false
                                                                                                                    Nov 1, 2024 16:05:00.193084955 CET1.1.1.1192.168.2.70x4af4No error (0)ww82.trythisgid.com63214.bodis.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Nov 1, 2024 16:05:00.193084955 CET1.1.1.1192.168.2.70x4af4No error (0)63214.bodis.com199.59.243.227A (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • trythisgid.com
                                                                                                                    • ww82.trythisgid.com

                                                                                                                    HTTP Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.749760199.59.243.227807480C:\Users\user\Desktop\WER9Fz381n.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Nov 1, 2024 16:05:00.199928999 CET100OUTGET / HTTP/1.1
                                                                                                                    Host: ww82.trythisgid.com
                                                                                                                    User-Agent: Go-http-client/1.1
                                                                                                                    Accept-Encoding: gzip
                                                                                                                    Nov 1, 2024 16:05:00.815834045 CET1236INHTTP/1.1 200 OK
                                                                                                                    date: Fri, 01 Nov 2024 15:05:00 GMT
                                                                                                                    content-type: text/html; charset=utf-8
                                                                                                                    content-length: 1058
                                                                                                                    x-request-id: 93b62ac7-5555-49b6-9788-02d52105fd16
                                                                                                                    cache-control: no-store, max-age=0
                                                                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                                                                    vary: sec-ch-prefers-color-scheme
                                                                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_RMeUyYNWHdvmxCwFR1sZxtyh+zIiTjEiZXzbGJaqIBZh8dAxcCMHYEbcPuf6pxfB7oOGN5D/9SYZapDRbKLXKw==
                                                                                                                    set-cookie: parking_session=93b62ac7-5555-49b6-9788-02d52105fd16; expires=Fri, 01 Nov 2024 15:20:00 GMT; path=/
                                                                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 52 4d 65 55 79 59 4e 57 48 64 76 6d 78 43 77 46 52 31 73 5a 78 74 79 68 2b 7a 49 69 54 6a 45 69 5a 58 7a 62 47 4a 61 71 49 42 5a 68 38 64 41 78 63 43 4d 48 59 45 62 63 50 75 66 36 70 78 66 42 37 6f 4f 47 4e 35 44 2f 39 53 59 5a 61 70 44 52 62 4b 4c 58 4b 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_RMeUyYNWHdvmxCwFR1sZxtyh+zIiTjEiZXzbGJaqIBZh8dAxcCMHYEbcPuf6pxfB7oOGN5D/9SYZapDRbKLXKw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
                                                                                                                    Nov 1, 2024 16:05:00.815849066 CET212INData Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65
                                                                                                                    Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTNiNjJhYzctNTU1NS00OWI2LTk3ODgtMDJkNTIxMDVmZDE2IiwicGFnZV90aW1lIj
                                                                                                                    Nov 1, 2024 16:05:00.815859079 CET280INData Raw: 6f 78 4e 7a 4d 77 4e 44 63 7a 4e 54 41 77 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 33 64 7a 67 79 4c 6e 52 79 65 58 52 6f 61 58 4e 6e 61 57 51 75 59 32 39 74 4c 79 49 73 49 6e 42 68 5a 32 56 66 62 57 56 30
                                                                                                                    Data Ascii: oxNzMwNDczNTAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzgyLnRyeXRoaXNnaWQuY29tLyIsInBhZ2VfbWV0aG9kIjoiR0VUIiwicGFnZV9yZXF1ZXN0Ijp7fSwicGFnZV9oZWFkZXJzIjp7fSwiaG9zdCI6Ind3ODIudHJ5dGhpc2dpZC5jb20iLCJpcCI6IjE3My4yNTQuMjUwLjgyIn0K";</script><script src="/blc


                                                                                                                    HTTPS Proxied Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.74975146.8.8.1004437480C:\Users\user\Desktop\WER9Fz381n.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    2024-11-01 15:04:59 UTC136OUTPOST /app-install-failure HTTP/1.1
                                                                                                                    Host: trythisgid.com
                                                                                                                    User-Agent: Go-http-client/1.1
                                                                                                                    Content-Length: 166
                                                                                                                    Accept-Encoding: gzip
                                                                                                                    2024-11-01 15:04:59 UTC166OUTData Raw: 62 75 69 6c 64 5f 6e 75 6d 62 65 72 3d 31 39 30 34 35 26 63 61 6d 70 61 69 67 6e 5f 69 64 3d 25 32 46 34 30 37 26 64 69 73 74 72 69 62 75 74 6f 72 5f 69 64 3d 34 30 37 26 6d 61 63 68 69 6e 65 5f 67 75 69 64 3d 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 26 72 65 61 73 6f 6e 3d 76 6d 2b 64 65 74 65 63 74 65 64 25 33 41 2b 76 6d 77 61 72 65 25 33 41 2b 73 65 72 76 69 63 65 25 33 41 2b 76 6d 63 69 26 76 65 72 73 69 6f 6e 3d 31 39 31
                                                                                                                    Data Ascii: build_number=19045&campaign_id=%2F407&distributor_id=407&machine_guid=9e146be9-c76a-4720-bcdb-53011b87bd06&reason=vm+detected%3A+vmware%3A+service%3A+vmci&version=191
                                                                                                                    2024-11-01 15:05:00 UTC148INHTTP/1.1 301 Moved Permanently
                                                                                                                    Location: http://ww82.trythisgid.com/
                                                                                                                    Date: Fri, 01 Nov 2024 15:05:22 GMT
                                                                                                                    Content-Length: 0
                                                                                                                    Connection: close


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:11:04:52
                                                                                                                    Start date:01/11/2024
                                                                                                                    Path:C:\Users\user\Desktop\WER9Fz381n.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\WER9Fz381n.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:4'253'224 bytes
                                                                                                                    MD5 hash:256506E20FE6BDDBE08403DEBD4C39CC
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.1406450301.000000000336A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000003.1387384767.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:4
                                                                                                                    Start time:11:04:55
                                                                                                                    Start date:01/11/2024
                                                                                                                    Path:C:\Users\user\Desktop\WER9Fz381n.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\WER9Fz381n.exe"
                                                                                                                    Imagebase:0x400000
                                                                                                                    File size:4'253'224 bytes
                                                                                                                    MD5 hash:256506E20FE6BDDBE08403DEBD4C39CC
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000004.00000002.1445502886.000000000327A000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000004.00000003.1416807241.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:2.3%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:24.5%
                                                                                                                      Total number of Nodes:49
                                                                                                                      Total number of Limit Nodes:2
                                                                                                                      execution_graph 6688 2b7b026 6689 2b7b035 6688->6689 6692 2b7b7c6 6689->6692 6693 2b7b7e1 6692->6693 6694 2b7b7ea CreateToolhelp32Snapshot 6693->6694 6695 2b7b806 Module32First 6693->6695 6694->6693 6694->6695 6696 2b7b815 6695->6696 6697 2b7b03e 6695->6697 6699 2b7b485 6696->6699 6700 2b7b4b0 6699->6700 6701 2b7b4c1 VirtualAlloc 6700->6701 6702 2b7b4f9 6700->6702 6701->6702 6722 2f70003 6723 2f70005 6722->6723 6728 2f7092b GetPEB 6723->6728 6725 2f70030 6730 2f7003c 6725->6730 6729 2f70972 6728->6729 6729->6725 6731 2f70049 6730->6731 6732 2f70e0f 2 API calls 6731->6732 6733 2f70223 6732->6733 6734 2f70d90 GetPEB 6733->6734 6735 2f70238 VirtualAlloc 6734->6735 6736 2f70265 6735->6736 6737 2f702ce VirtualProtect 6736->6737 6739 2f7030b 6737->6739 6738 2f70439 VirtualFree 6742 2f704be LoadLibraryA 6738->6742 6739->6738 6741 2f708c7 6742->6741 6743 2f70000 6744 2f70005 6743->6744 6745 2f7092b GetPEB 6744->6745 6746 2f70030 6745->6746 6747 2f7003c 7 API calls 6746->6747 6748 2f70038 6747->6748 6703 2f7003c 6704 2f70049 6703->6704 6716 2f70e0f SetErrorMode SetErrorMode 6704->6716 6709 2f70265 6710 2f702ce VirtualProtect 6709->6710 6712 2f7030b 6710->6712 6711 2f70439 VirtualFree 6715 2f704be LoadLibraryA 6711->6715 6712->6711 6714 2f708c7 6715->6714 6717 2f70223 6716->6717 6718 2f70d90 6717->6718 6719 2f70dad 6718->6719 6720 2f70dbb GetPEB 6719->6720 6721 2f70238 VirtualAlloc 6719->6721 6720->6721 6721->6709

                                                                                                                      Executed Functions

                                                                                                                      Function 02B7B7C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 85 2b7b7c6-2b7b7df 86 2b7b7e1-2b7b7e3 85->86 87 2b7b7e5 86->87 88 2b7b7ea-2b7b7f6 CreateToolhelp32Snapshot 86->88 87->88 89 2b7b806-2b7b813 Module32First 88->89 90 2b7b7f8-2b7b7fe 88->90 91 2b7b815-2b7b816 call 2b7b485 89->91 92 2b7b81c-2b7b824 89->92 90->89 95 2b7b800-2b7b804 90->95 96 2b7b81b 91->96 95->86 95->89 96->92
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B7B7EE
                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 02B7B80E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7B000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2b7b000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3833638111-0
                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction ID: 06f104ca766d7eab90e371548ea439f5b2cbd005d3b58d7e3a579b154c12c6f6
                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction Fuzzy Hash: 66F090322007146FD7203BF9A88DB6E77E8EF8976DF1006A8E662D14C0DB70E8458E61
                                                                                                                      Function 02F7003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 2f7003c-2f70047 1 2f7004c-2f70263 call 2f70a3f call 2f70e0f call 2f70d90 VirtualAlloc 0->1 2 2f70049 0->2 17 2f70265-2f70289 call 2f70a69 1->17 18 2f7028b-2f70292 1->18 2->1 23 2f702ce-2f703c2 VirtualProtect call 2f70cce call 2f70ce7 17->23 20 2f702a1-2f702b0 18->20 22 2f702b2-2f702cc 20->22 20->23 22->20 29 2f703d1-2f703e0 23->29 30 2f703e2-2f70437 call 2f70ce7 29->30 31 2f70439-2f704b8 VirtualFree 29->31 30->29 33 2f705f4-2f705fe 31->33 34 2f704be-2f704cd 31->34 37 2f70604-2f7060d 33->37 38 2f7077f-2f70789 33->38 36 2f704d3-2f704dd 34->36 36->33 41 2f704e3-2f70505 36->41 37->38 39 2f70613-2f70637 37->39 42 2f707a6-2f707b0 38->42 43 2f7078b-2f707a3 38->43 44 2f7063e-2f70648 39->44 54 2f70517-2f70520 41->54 55 2f70507-2f70515 41->55 45 2f707b6-2f707cb 42->45 46 2f7086e-2f708be LoadLibraryA 42->46 43->42 44->38 48 2f7064e-2f7065a 44->48 47 2f707d2-2f707d5 45->47 53 2f708c7-2f708f9 46->53 50 2f707d7-2f707e0 47->50 51 2f70824-2f70833 47->51 48->38 52 2f70660-2f7066a 48->52 57 2f707e4-2f70822 50->57 58 2f707e2 50->58 60 2f70839-2f7083c 51->60 59 2f7067a-2f70689 52->59 61 2f70902-2f7091d 53->61 62 2f708fb-2f70901 53->62 56 2f70526-2f70547 54->56 55->56 63 2f7054d-2f70550 56->63 57->47 58->51 64 2f70750-2f7077a 59->64 65 2f7068f-2f706b2 59->65 60->46 66 2f7083e-2f70847 60->66 62->61 68 2f70556-2f7056b 63->68 69 2f705e0-2f705ef 63->69 64->44 70 2f706b4-2f706ed 65->70 71 2f706ef-2f706fc 65->71 72 2f7084b-2f7086c 66->72 73 2f70849 66->73 74 2f7056f-2f7057a 68->74 75 2f7056d 68->75 69->36 70->71 76 2f706fe-2f70748 71->76 77 2f7074b 71->77 72->60 73->46 78 2f7057c-2f70599 74->78 79 2f7059b-2f705bb 74->79 75->69 76->77 77->59 84 2f705bd-2f705db 78->84 79->84 84->63
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02F7024D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID: cess$kernel32.dll
                                                                                                                      • API String ID: 4275171209-1230238691
                                                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction ID: 1ecbc5754d63e850f266dd690866c7d2594743f416d1424f36d2a7c5bb2bcba2
                                                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction Fuzzy Hash: 6B526A75A01229DFDB64CF58C984BACBBB1BF09304F1480DAE94DAB351DB30AA85DF14
                                                                                                                      Function 02F70E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 98 2f70e0f-2f70e24 SetErrorMode * 2 99 2f70e26 98->99 100 2f70e2b-2f70e2c 98->100 99->100
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,02F70223,?,?), ref: 02F70E19
                                                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,02F70223,?,?), ref: 02F70E1E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction ID: e8aa770932b4ccac169fc1d3946a3a689144f7b732f6a5409e6128808567f63c
                                                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction Fuzzy Hash: 7DD0123154512877D7002A94DC09BCD7B1CDF09BA6F008011FB0DD9080CB70954046E5
                                                                                                                      Function 02B7B485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 101 2b7b485-2b7b4bf call 2b7b798 104 2b7b4c1-2b7b4f4 VirtualAlloc call 2b7b512 101->104 105 2b7b50d 101->105 107 2b7b4f9-2b7b50b 104->107 105->105 107->105
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B7B4D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7B000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2b7b000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction ID: 262ef501bb9a0844a731dde29525bf5a632e11b5034c9a330d3b5d02fb7efe56
                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction Fuzzy Hash: B9113C79A00208EFDB01DF98C995E99BBF5EF08350F058094F9589B362D371EA90DF80

                                                                                                                      Non-executed Functions

                                                                                                                      Function 02F7092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .$GetProcAddress.$l
                                                                                                                      • API String ID: 0-2784972518
                                                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                      • Instruction ID: d82f31d2cc111d90a739187a4344cdef98289c15a8d8eae3bcef619a9a06b805
                                                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                      • Instruction Fuzzy Hash: E63148B6910609DFEB10CF99C880AAEBBF9FF48364F15405ED941A7310DB71EA45CBA4
                                                                                                                      Function 02F95267 Relevance: 2.5, Strings: 2, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai, xrefs: 02F952D0
                                                                                                                      • runtime: stat underflow: val runtime: sudog with non-nil cruntime: unknown pc in defer semacquire not on the G stackset ClientTransportPlugin: %wspecified name does not existstring concatenation too longsyntax error scanning booleantask was successfully starte, xrefs: 02F952A6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai$runtime: stat underflow: val runtime: sudog with non-nil cruntime: unknown pc in defer semacquire not on the G stackset ClientTransportPlugin: %wspecified name does not existstring concatenation too longsyntax error scanning booleantask was successfully starte
                                                                                                                      • API String ID: 0-3599685839
                                                                                                                      • Opcode ID: 34869775416538233fafe22f276f22d99f8aac248e2d076b790422e58933f64e
                                                                                                                      • Instruction ID: 3907c8511e323dc9c31d3e5e9b12b7a25cac23e8aa899b13e7c29f4a5af18705
                                                                                                                      • Opcode Fuzzy Hash: 34869775416538233fafe22f276f22d99f8aac248e2d076b790422e58933f64e
                                                                                                                      • Instruction Fuzzy Hash: F401C9B46087018FEB44FF68D950B1DBBE2AF88784F80885EE68887351EB749844DF57
                                                                                                                      Function 02F951B7 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai, xrefs: 02F95219
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: , n -Inf-inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHEADHKCCHKLMHostJulyJuneLisuMiaoModiNZDTNZSTNewaPINGPOSTQEMUROOTSASTSendStatTempThai
                                                                                                                      • API String ID: 0-21598161
                                                                                                                      • Opcode ID: 0b14967bf6af31e2cf86c4ee157496ddad0a7c303c256fff561993d9531d4bbb
                                                                                                                      • Instruction ID: efcf876703eb3f27fb6712d1344aa4fe293514b116ae269ed3c095c7cc7acba5
                                                                                                                      • Opcode Fuzzy Hash: 0b14967bf6af31e2cf86c4ee157496ddad0a7c303c256fff561993d9531d4bbb
                                                                                                                      • Instruction Fuzzy Hash: 470195B45087019FEB40FF68D94061DBBE1AF88784F80885EE68887651E778D844CF13
                                                                                                                      Function 02F76FF7 Relevance: .1, Instructions: 140COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 147b810c34694f92c40d16b7c895075c7aabaa3623c4a56541efb23be6038f77
                                                                                                                      • Instruction ID: cba02ef76f3a96e787462fb407661ab0e213fc2d6dd68d72576559b2e16f16ec
                                                                                                                      • Opcode Fuzzy Hash: 147b810c34694f92c40d16b7c895075c7aabaa3623c4a56541efb23be6038f77
                                                                                                                      • Instruction Fuzzy Hash: 1151D5717582018BD70CDE348D9662AFB96EBC9200F50E46FE906CF5EAE630DB06DB40
                                                                                                                      Function 02FC09D7 Relevance: .1, Instructions: 128COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 570c6181352e0e77b1d64040d4d64f938fd6ee33869a39009fa9bb22fa417727
                                                                                                                      • Instruction ID: 9f7913a7575e609730f57ed2836021aaf9f13db8226bc5a2a43a64eb50550fa0
                                                                                                                      • Opcode Fuzzy Hash: 570c6181352e0e77b1d64040d4d64f938fd6ee33869a39009fa9bb22fa417727
                                                                                                                      • Instruction Fuzzy Hash: 61519720C0CF5BA5E6334B7DC4026667B206EB3584B01D76FFDD6B54B2EB136944BA22
                                                                                                                      Function 02F7A967 Relevance: .1, Instructions: 113COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cd4f0d7d50e83b2646a9b0319607e49ed79070115aa4c9e5d6c65176eb49ce28
                                                                                                                      • Instruction ID: ebc7ebcaeb5e97dc334247140e23f19e64dec8dd63320d7ab2dbb0e7cc9afd16
                                                                                                                      • Opcode Fuzzy Hash: cd4f0d7d50e83b2646a9b0319607e49ed79070115aa4c9e5d6c65176eb49ce28
                                                                                                                      • Instruction Fuzzy Hash: E741B771908F458FC306DF79C89131AB3E2BF85394F11872DE95AAB752EB359842CB41
                                                                                                                      Function 02B7B0A3 Relevance: .1, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406124092.0000000002B7B000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B7B000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2b7b000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                      • Instruction ID: 043a31477cb5a428c60bd5ec5b578f168d3f8802576d660428b8b61334b5282a
                                                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                      • Instruction Fuzzy Hash: 3A11A172340100AFDB54DF55DCC1FA673EAFB89324B1980A9ED18CB312E676E842CB60
                                                                                                                      Function 02F70D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                      • Instruction ID: 1457101fd30c6740d03b68710ed512037f57a0ac480a396debb1c6da404e4e57
                                                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                      • Instruction Fuzzy Hash: 5901F272A106008FDF21CF60C804BAA33E5EF86246F1540BADA0B97281EB70A8418B80
                                                                                                                      Function 02FC0957 Relevance: .0, Instructions: 11COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1406450301.0000000002F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2f70000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0ad81c4efe27b0c7e19adbd1095000f0b1ec6937ce74b801f0e3c7654ff788f6
                                                                                                                      • Instruction ID: f84a79ef156bd687c3177c987988b4075ae39092bd7ebe77add4d720d4865366
                                                                                                                      • Opcode Fuzzy Hash: 0ad81c4efe27b0c7e19adbd1095000f0b1ec6937ce74b801f0e3c7654ff788f6
                                                                                                                      • Instruction Fuzzy Hash: 3EC012B1D0D391DDF715CB189310358BFD457917C4F50C48EE28841615C7F681C58311
                                                                                                                      Function 00428B10 Relevance: 7.6, Strings: 6, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected da, xrefs: 00428C26
                                                                                                                      • ,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
                                                                                                                      • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC
                                                                                                                      • ", xrefs: 00428CF9
                                                                                                                      • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00428C95
                                                                                                                      • VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected da
                                                                                                                      • API String ID: 0-1657157675
                                                                                                                      • Opcode ID: c8105c4506bea2f01e6806786f9db8435e0fcd44a24355fedfb8b60769be681b
                                                                                                                      • Instruction ID: b72b3c0a1ae93619abf405cbf1ab97a7be6eac2670bbef61e048567993f9a868
                                                                                                                      • Opcode Fuzzy Hash: c8105c4506bea2f01e6806786f9db8435e0fcd44a24355fedfb8b60769be681b
                                                                                                                      • Instruction Fuzzy Hash: CA5105B46097158FD340EF65D18575EBBE0FF88718F808A2EE49887352DB389944CF9A
                                                                                                                      Function 00434690 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • releasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32, xrefs: 00434756
                                                                                                                      • m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic Bi, xrefs: 00434778
                                                                                                                      • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statusstun.sip, xrefs: 00434852
                                                                                                                      • m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=$WINDIR\rss%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1404121864.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000A7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000000.00000002.1404121864.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_400000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=$WINDIR\rss%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic Bi$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statusstun.sip$releasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32
                                                                                                                      • API String ID: 0-2553090713
                                                                                                                      • Opcode ID: e4a9c480fa1b9ad80c08763501278aea63df18cc753c7f79eda8304b04d1fd3c
                                                                                                                      • Instruction ID: 2ebe744312ac1d5e007bfe2d6522ee0021e7d275196b3d408aeb99656749ed52
                                                                                                                      • Opcode Fuzzy Hash: e4a9c480fa1b9ad80c08763501278aea63df18cc753c7f79eda8304b04d1fd3c
                                                                                                                      • Instruction Fuzzy Hash: C651C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE89887352D7799845CFA6

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:2.4%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:52
                                                                                                                      Total number of Limit Nodes:2
                                                                                                                      execution_graph 6682 2e8092b GetPEB 6683 2e80972 6682->6683 6684 2e8003c 6685 2e80049 6684->6685 6697 2e80e0f SetErrorMode SetErrorMode 6685->6697 6690 2e80265 6691 2e802ce VirtualProtect 6690->6691 6693 2e8030b 6691->6693 6692 2e80439 VirtualFree 6696 2e804be LoadLibraryA 6692->6696 6693->6692 6695 2e808c7 6696->6695 6698 2e80223 6697->6698 6699 2e80d90 6698->6699 6700 2e80dad 6699->6700 6701 2e80dbb GetPEB 6700->6701 6702 2e80238 VirtualAlloc 6700->6702 6701->6702 6702->6690 6703 2e80920 TerminateProcess 6719 2e80000 6720 2e80005 6719->6720 6725 2e8092b GetPEB 6720->6725 6722 2e80030 6727 2e8003c 6722->6727 6726 2e80972 6725->6726 6726->6722 6728 2e80049 6727->6728 6729 2e80e0f 2 API calls 6728->6729 6730 2e80223 6729->6730 6731 2e80d90 GetPEB 6730->6731 6732 2e80238 VirtualAlloc 6731->6732 6733 2e80265 6732->6733 6734 2e802ce VirtualProtect 6733->6734 6736 2e8030b 6734->6736 6735 2e80439 VirtualFree 6739 2e804be LoadLibraryA 6735->6739 6736->6735 6738 2e808c7 6739->6738 6740 2e80003 6741 2e80005 6740->6741 6742 2e8092b GetPEB 6741->6742 6743 2e80030 6742->6743 6744 2e8003c 7 API calls 6743->6744 6745 2e80038 6744->6745 6704 2a8c026 6705 2a8c035 6704->6705 6708 2a8c7c6 6705->6708 6710 2a8c7e1 6708->6710 6709 2a8c7ea CreateToolhelp32Snapshot 6709->6710 6711 2a8c806 Module32First 6709->6711 6710->6709 6710->6711 6712 2a8c03e 6711->6712 6713 2a8c815 6711->6713 6715 2a8c485 6713->6715 6716 2a8c4b0 6715->6716 6717 2a8c4f9 6716->6717 6718 2a8c4c1 VirtualAlloc 6716->6718 6717->6717 6718->6717

                                                                                                                      Executed Functions

                                                                                                                      Function 02E8003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 2e8003c-2e80047 1 2e80049 0->1 2 2e8004c-2e80263 call 2e80a3f call 2e80e0f call 2e80d90 VirtualAlloc 0->2 1->2 17 2e8028b-2e80292 2->17 18 2e80265-2e80289 call 2e80a69 2->18 20 2e802a1-2e802b0 17->20 22 2e802ce-2e803c2 VirtualProtect call 2e80cce call 2e80ce7 18->22 20->22 23 2e802b2-2e802cc 20->23 29 2e803d1-2e803e0 22->29 23->20 30 2e80439-2e804b8 VirtualFree 29->30 31 2e803e2-2e80437 call 2e80ce7 29->31 33 2e804be-2e804cd 30->33 34 2e805f4-2e805fe 30->34 31->29 36 2e804d3-2e804dd 33->36 37 2e8077f-2e80789 34->37 38 2e80604-2e8060d 34->38 36->34 40 2e804e3-2e80505 36->40 41 2e8078b-2e807a3 37->41 42 2e807a6-2e807b0 37->42 38->37 43 2e80613-2e80637 38->43 51 2e80517-2e80520 40->51 52 2e80507-2e80515 40->52 41->42 44 2e8086e-2e808be LoadLibraryA 42->44 45 2e807b6-2e807cb 42->45 46 2e8063e-2e80648 43->46 50 2e808c7-2e808f9 44->50 48 2e807d2-2e807d5 45->48 46->37 49 2e8064e-2e8065a 46->49 53 2e80824-2e80833 48->53 54 2e807d7-2e807e0 48->54 49->37 55 2e80660-2e8066a 49->55 56 2e808fb-2e80901 50->56 57 2e80902-2e8091d 50->57 58 2e80526-2e80547 51->58 52->58 62 2e80839-2e8083c 53->62 59 2e807e2 54->59 60 2e807e4-2e80822 54->60 61 2e8067a-2e80689 55->61 56->57 66 2e8054d-2e80550 58->66 59->53 60->48 63 2e8068f-2e806b2 61->63 64 2e80750-2e8077a 61->64 62->44 65 2e8083e-2e80847 62->65 67 2e806ef-2e806fc 63->67 68 2e806b4-2e806ed 63->68 64->46 69 2e80849 65->69 70 2e8084b-2e8086c 65->70 72 2e805e0-2e805ef 66->72 73 2e80556-2e8056b 66->73 74 2e8074b 67->74 75 2e806fe-2e80748 67->75 68->67 69->44 70->62 72->36 76 2e8056d 73->76 77 2e8056f-2e8057a 73->77 74->61 75->74 76->72 78 2e8059b-2e805bb 77->78 79 2e8057c-2e80599 77->79 84 2e805bd-2e805db 78->84 79->84 84->66
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02E8024D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_2e80000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID: cess$kernel32.dll
                                                                                                                      • API String ID: 4275171209-1230238691
                                                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction ID: cdd8919f617255c7124f88763a9ee65c13e7e4487e499b19a24daaab5778fd6d
                                                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                      • Instruction Fuzzy Hash: 6D526975A01229DFDB64DF58C984BACBBB1BF09304F1480D9E94DAB351DB30AA89CF14
                                                                                                                      Function 02A8C7C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 102 2a8c7c6-2a8c7df 103 2a8c7e1-2a8c7e3 102->103 104 2a8c7ea-2a8c7f6 CreateToolhelp32Snapshot 103->104 105 2a8c7e5 103->105 106 2a8c7f8-2a8c7fe 104->106 107 2a8c806-2a8c813 Module32First 104->107 105->104 106->107 112 2a8c800-2a8c804 106->112 108 2a8c81c-2a8c824 107->108 109 2a8c815-2a8c816 call 2a8c485 107->109 113 2a8c81b 109->113 112->103 112->107 113->108
                                                                                                                      APIs
                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02A8C7EE
                                                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 02A8C80E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A8C000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_2a8c000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3833638111-0
                                                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction ID: fe443c8035cebdec87481460f22d33b61141c0753f8c7976455914378bafdceb
                                                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                      • Instruction Fuzzy Hash: 2BF06232600710ABD7243BB5A8CDB6A76E9AF49635F10052AE642D10C0DF70E8454E75
                                                                                                                      Function 02E80E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 115 2e80e0f-2e80e24 SetErrorMode * 2 116 2e80e2b-2e80e2c 115->116 117 2e80e26 115->117 117->116
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,02E80223,?,?), ref: 02E80E19
                                                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,02E80223,?,?), ref: 02E80E1E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_2e80000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction ID: 57dacdb67886c003b0a5bbb9586af1258dae52b4a04d322c3a950f0f522bdb24
                                                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                      • Instruction Fuzzy Hash: AAD0123214512877DB003A94DC09BCE7B1CDF05B66F008011FB0DD9080C770954046E5
                                                                                                                      Function 02E80920 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 118 2e80920-2e80929 TerminateProcess
                                                                                                                      APIs
                                                                                                                      • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 02E80929
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1445502886.0000000002E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_2e80000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ProcessTerminate
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 560597551-0
                                                                                                                      • Opcode ID: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                                      • Instruction ID: 32c6b922947ea3cccd1969f265569fcdca6cd0b55213c4fffb902dc8cd283092
                                                                                                                      • Opcode Fuzzy Hash: 91797df5951f3843188fcac9909b1deb09bd5e2cea32e2d6cf15e3725c794b54
                                                                                                                      • Instruction Fuzzy Hash: 2C9002A42C425031D860259C0C01F5501052741630F3507147130AE5D0C44156404215
                                                                                                                      Function 02A8C485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 119 2a8c485-2a8c4bf call 2a8c798 122 2a8c50d 119->122 123 2a8c4c1-2a8c4f4 VirtualAlloc call 2a8c512 119->123 122->122 125 2a8c4f9-2a8c50b 123->125 125->122
                                                                                                                      APIs
                                                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02A8C4D6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1444895629.0000000002A8C000.00000040.00000020.00020000.00000000.sdmp, Offset: 02A8C000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_2a8c000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4275171209-0
                                                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction ID: dea9d7e3a523e784ebac0278fc5672029356e30aed446551dcf431bbc03f500c
                                                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                      • Instruction Fuzzy Hash: AC113C79A40208EFDB01DF98CA85E99BBF5AF08350F058095F9489B361D775EA90DF90

                                                                                                                      Non-executed Functions

                                                                                                                      Function 00428B10 Relevance: 7.6, Strings: 6, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • ,-./01456:;<=>?@BCLMNOPSZ["\, xrefs: 00428C50
                                                                                                                      • VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu, xrefs: 00428CF0
                                                                                                                      • runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:, xrefs: 00428CBC
                                                                                                                      • ", xrefs: 00428CF9
                                                                                                                      • bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00428C95
                                                                                                                      • runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected da, xrefs: 00428C26
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: "$,-./01456:;<=>?@BCLMNOPSZ["\$VirtualQuery for stack base failedadding nil Certificate to CertPoolcouldn't create a new cipher blockcouldn't delete an exclusion valuecrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapcrypto/rsa: missing pu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: mcall called on m->g0 stackruntime: sudog with non-nil waitlinkruntime:$runtime: g0 stack [runtime: insert t= runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedtime: unknown unit too many open filesunexpected InstFailunexpected da
                                                                                                                      • API String ID: 0-1657157675
                                                                                                                      • Opcode ID: c8105c4506bea2f01e6806786f9db8435e0fcd44a24355fedfb8b60769be681b
                                                                                                                      • Instruction ID: b72b3c0a1ae93619abf405cbf1ab97a7be6eac2670bbef61e048567993f9a868
                                                                                                                      • Opcode Fuzzy Hash: c8105c4506bea2f01e6806786f9db8435e0fcd44a24355fedfb8b60769be681b
                                                                                                                      • Instruction Fuzzy Hash: CA5105B46097158FD340EF65D18575EBBE0FF88718F808A2EE49887352DB389944CF9A
                                                                                                                      Function 00434690 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic Bi, xrefs: 00434778
                                                                                                                      • m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=$WINDIR\rss%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat, xrefs: 004347C4
                                                                                                                      • releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statusstun.sip, xrefs: 00434852
                                                                                                                      • releasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32, xrefs: 00434756
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.1443450767.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000A7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C7C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C8B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      • Associated: 00000004.00000002.1443450767.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_400000_WER9Fz381n.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: m->mcache= mallocing= ms clock, nBSSRoots= p->mcache= p->status= pageSize= s.nelems= schedtick= span.list=$WINDIR\rss%!(BADPREC), s.base()=, s.npages=, settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=; Max-Age=0<invalid opBad Gat$ m->p= next= p->m= prev= span=%d: %s%s.exe%s.sys%s: %s(...), not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic Bi$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statusstun.sip$releasep: m=remote errorremoving appruntime: f= runtime: gp=s ap traffics hs trafficsetupapi.dllshort buffertraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=wtsapi32
                                                                                                                      • API String ID: 0-2553090713
                                                                                                                      • Opcode ID: e4a9c480fa1b9ad80c08763501278aea63df18cc753c7f79eda8304b04d1fd3c
                                                                                                                      • Instruction ID: 2ebe744312ac1d5e007bfe2d6522ee0021e7d275196b3d408aeb99656749ed52
                                                                                                                      • Opcode Fuzzy Hash: e4a9c480fa1b9ad80c08763501278aea63df18cc753c7f79eda8304b04d1fd3c
                                                                                                                      • Instruction Fuzzy Hash: C651C7B4608705CFD344EF65D18575EBBE0BF88308F41886EE89887352D7799845CFA6