Edit tour

Windows Analysis Report
5uVReRlvME.exe

Overview

General Information

Sample name:	5uVReRlvME.exe renamed because original name is a hash value
Original sample name:	43bfce1d0b5a83f67f9cfcbe5be0cd70eb0e0ff4d51a8e7e2d462c46bb892161.exe
Analysis ID:	1581276
MD5:	1588755c36bc56fe356bea6f41b38dd6
SHA1:	ff66fdf5312a3054cd0e598ba5e74fa2ea60b1eb
SHA256:	43bfce1d0b5a83f67f9cfcbe5be0cd70eb0e0ff4d51a8e7e2d462c46bb892161
Tags:	Amadeyexeuser-zhuzhu0009
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Credential Flusher

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected Remcos RAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files to the startup folder

Drops PE files to the user root directory

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Modifies windows update settings

Overwrites Mozilla Firefox settings

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

5uVReRlvME.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\5uVReRlvME.exe" MD5: 1588755C36BC56FE356BEA6F41B38DD6)

skotes.exe (PID: 3716 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 1588755C36BC56FE356BEA6F41B38DD6)

skotes.exe (PID: 4080 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 1588755C36BC56FE356BEA6F41B38DD6)

skotes.exe (PID: 7780 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 1588755C36BC56FE356BEA6F41B38DD6)

a762d7e2e8.exe (PID: 7976 cmdline: "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

a762d7e2e8.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

ac8336f967.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe" MD5: 87330F1877C33A5A6203C49075223B16)

vncgroups.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe" MD5: 532ABCCDFE34F585BE8EEC40BDC7972D)

idmans.exe (PID: 3132 cmdline: "C:\ProgramData\idmans\idmans.exe" MD5: 532ABCCDFE34F585BE8EEC40BDC7972D)

a82132a0ca.exe (PID: 6728 cmdline: "C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe" MD5: EFD7BBABA8AA8E6865430D1FFCFBF2D5)

ec6b49ebff.exe (PID: 7352 cmdline: "C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe" MD5: A799CA00B534622E3CE09CEDBB913F79)

557d4db723.exe (PID: 5076 cmdline: "C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe" MD5: 71B104246AC3F43D058E7C67E8B07DEF)

soonmaintain.exe (PID: 2516 cmdline: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe MD5: 92A9F111C456947F39B59EB9F13E4BF6)

InstallUtil.exe (PID: 7720 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)

4c60777cc9.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe" MD5: A771A9D93D804668B707E13403915080)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

4c60777cc9.exe (PID: 2328 cmdline: "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe" MD5: A771A9D93D804668B707E13403915080)

da7b434153.exe (PID: 5288 cmdline: "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe" MD5: 2A73FA2FB9F993D5F412716C3369ED0A)

powershell.exe (PID: 2056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2816 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

gretsylgaw_638708682569357197.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe" MD5: 990EC3DDAD4A74B16A404FBFDD19CEA2)

72573a0b5a.exe (PID: 5696 cmdline: "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe" MD5: 3B6A8C673CDBE5C6944E92E7DE9F75CF)

72573a0b5a.exe (PID: 2148 cmdline: "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe" MD5: 3B6A8C673CDBE5C6944E92E7DE9F75CF)

c36de44bba.exe (PID: 2412 cmdline: "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe" MD5: 80EF44E8078DD87D1399FC27FAD67B01)

20da271f67.exe (PID: 6608 cmdline: "C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe" MD5: A82B9D32414422F485E9FF40E510675F)

chrome.exe (PID: 8072 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3224 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2240,i,11010108224617170616,3557015706047403577,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

1b18db46b2.exe (PID: 5444 cmdline: "C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe" MD5: B6E7FA7056D471A01E6524CA245D0C1E)

taskkill.exe (PID: 560 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5216 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3716 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7232 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3664 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

a0f4fa9b49.exe (PID: 416 cmdline: "C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe" MD5: 93A5223F9562039D7EF899F0EC56FE60)

idmans.exe (PID: 5236 cmdline: "C:\ProgramData\idmans\idmans.exe" MD5: 532ABCCDFE34F585BE8EEC40BDC7972D)

idmans.exe (PID: 1016 cmdline: "C:\ProgramData\idmans\idmans.exe" MD5: 532ABCCDFE34F585BE8EEC40BDC7972D)

idmans.exe (PID: 2696 cmdline: "C:\ProgramData\idmans\idmans.exe" MD5: 532ABCCDFE34F585BE8EEC40BDC7972D)

rundll32.exe (PID: 7680 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

c36de44bba.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe" MD5: 80EF44E8078DD87D1399FC27FAD67B01)

c36de44bba.exe (PID: 8064 cmdline: "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe" MD5: 80EF44E8078DD87D1399FC27FAD67B01)

svchost.exe (PID: 3872 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Threatname: LummaC

{"C2 url": ["necklacebudi.lat", "sustainskelet.lat", "rapeflowwj.lat", "aspecteirs.lat", "grannyejh.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat"], "Build id": "7uZzAf--"}

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199724331900"]}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: Remcos

{"Host:Port:Password": ["casino.ddnss.de:2403:1"], "Assigned name": "idmans", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "idmans.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "idmans-KXQ59W", "Keylog flag": "2", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "idmans", "Keylog folder": "idman"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
C:\ProgramData\idmans\idmans.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\idmans\idmans.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\ProgramData\idmans\idmans.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\ProgramData\idmans\idmans.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
C:\ProgramData\idmans\idmans.exe	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
C:\ProgramData\idmans\idmans.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 17 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000014.00000002.3749941328.000002307DDC0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000009.00000003.2606272422.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.4260726771.0000000000291000.00000040.00000001.01000000.0000001B.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000012.00000002.4357723733.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000014.00000002.3737746500.000002307DC23000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.4358748739.0000000000ED8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1758:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000027.00000003.4036970096.00000000013C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2581455167.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000003.4062581686.0000000001369000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000014.00000002.3631864100.0000023065988000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb188:$a1: Remcos restarted by watchdog! 0xb700:$a3: %02i:%02i:%02i:%03i
00000022.00000002.3681499880.0000000140000000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000B.00000003.4175876589.0000000001386000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2581349627.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
00000017.00000003.3505275182.0000000000E02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x146f8:$a1: Remcos restarted by watchdog! 0x14c70:$a3: %02i:%02i:%02i:%03i
0000000B.00000003.4175178439.0000000001386000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a762d7e2e8.exe PID: 8040	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: a762d7e2e8.exe PID: 8040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: a762d7e2e8.exe PID: 8040	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ac8336f967.exe PID: 7020	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: ac8336f967.exe PID: 7020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ac8336f967.exe PID: 7020	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: vncgroups.exe PID: 5544	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: vncgroups.exe PID: 5544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: vncgroups.exe PID: 5544	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: vncgroups.exe PID: 5544	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xbccb:$a1: Remcos restarted by watchdog! 0x1df33:$a1: Remcos restarted by watchdog! 0x2cbac:$a1: Remcos restarted by watchdog! 0xc228:$a3: %02i:%02i:%02i:%03i 0xc5e0:$a3: %02i:%02i:%02i:%03i 0x1e490:$a3: %02i:%02i:%02i:%03i 0x1e848:$a3: %02i:%02i:%02i:%03i 0x2d109:$a3: %02i:%02i:%02i:%03i 0x2d4c1:$a3: %02i:%02i:%02i:%03i
Process Memory Space: idmans.exe PID: 3132	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: idmans.exe PID: 3132	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: idmans.exe PID: 3132	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: idmans.exe PID: 3132	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7b60:$a1: Remcos restarted by watchdog! 0x80bd:$a3: %02i:%02i:%02i:%03i 0x8475:$a3: %02i:%02i:%02i:%03i
Process Memory Space: idmans.exe PID: 5236	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: idmans.exe PID: 5236	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: idmans.exe PID: 5236	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: idmans.exe PID: 5236	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x75ec:$a1: Remcos restarted by watchdog! 0x1b512:$a1: Remcos restarted by watchdog! 0x7b49:$a3: %02i:%02i:%02i:%03i 0x7f01:$a3: %02i:%02i:%02i:%03i 0x1ba6f:$a3: %02i:%02i:%02i:%03i 0x1be27:$a3: %02i:%02i:%02i:%03i
Process Memory Space: idmans.exe PID: 1016	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: idmans.exe PID: 1016	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: idmans.exe PID: 1016	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: idmans.exe PID: 1016	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xeca3:$a1: Remcos restarted by watchdog! 0x1afec:$a1: Remcos restarted by watchdog! 0xf200:$a3: %02i:%02i:%02i:%03i 0xf5b8:$a3: %02i:%02i:%02i:%03i 0x1b549:$a3: %02i:%02i:%02i:%03i 0x1b901:$a3: %02i:%02i:%02i:%03i
Process Memory Space: idmans.exe PID: 2696	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: idmans.exe PID: 2696	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: idmans.exe PID: 2696	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: idmans.exe PID: 2696	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xb94a:$a1: Remcos restarted by watchdog! 0x18a71:$a1: Remcos restarted by watchdog! 0xbea7:$a3: %02i:%02i:%02i:%03i 0xc25f:$a3: %02i:%02i:%02i:%03i 0x18fce:$a3: %02i:%02i:%02i:%03i 0x19386:$a3: %02i:%02i:%02i:%03i
Process Memory Space: soonmaintain.exe PID: 2516	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: soonmaintain.exe PID: 2516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4c60777cc9.exe PID: 2328	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4c60777cc9.exe PID: 2328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 4c60777cc9.exe PID: 2328	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 20da271f67.exe PID: 6608	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 20da271f67.exe PID: 6608	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 20da271f67.exe PID: 6608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 20da271f67.exe PID: 6608	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: InstallUtil.exe PID: 7720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1b18db46b2.exe PID: 5444	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: c36de44bba.exe PID: 8064	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 106 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
30.2.72573a0b5a.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
13.0.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
13.0.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.0.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.0.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
13.0.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
13.0.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
30.2.72573a0b5a.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
28.2.72573a0b5a.exe.438cf38.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
20.2.soonmaintain.exe.23065568508.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.72573a0b5a.exe.409b8f0.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.2.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.2.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
14.2.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
14.2.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
20.2.soonmaintain.exe.23065568508.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.0.72573a0b5a.exe.bf0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.0.72573a0b5a.exe.bf0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
34.2.InstallUtil.exe.140000000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.2.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.2.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
16.2.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
16.2.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
17.0.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.0.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.0.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
17.0.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
17.0.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
1.2.skotes.exe.9f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
20.2.soonmaintain.exe.2307ddc0000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
34.2.InstallUtil.exe.140000000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.vncgroups.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.vncgroups.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.2.vncgroups.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.vncgroups.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
12.2.vncgroups.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
12.2.vncgroups.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
12.0.vncgroups.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.0.vncgroups.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
12.0.vncgroups.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.0.vncgroups.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
12.0.vncgroups.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
12.0.vncgroups.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
28.2.72573a0b5a.exe.40639b8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.72573a0b5a.exe.40639b8.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
28.2.72573a0b5a.exe.40639b8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
28.2.72573a0b5a.exe.40639b8.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xf10c:$s1: file:/// 0x7b0ad:$s1: file:/// 0xf01c:$s2: {11111-22222-10009-11112} 0xf09c:$s3: {11111-22222-50001-00000} 0x7af31:$s3: {11111-22222-50001-00000} 0x79108:$s4: get_Module 0xe890:$s5: Reverse 0x79517:$s5: Reverse 0x1eafde:$s5: Reverse 0xcd07:$s6: BlockCopy 0x1eafc8:$s7: ReadByte 0x7b0bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.2.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
17.2.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
17.2.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
17.2.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
17.2.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
28.2.72573a0b5a.exe.409b8f0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
28.2.72573a0b5a.exe.409b8f0.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
14.0.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
14.0.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.0.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
14.0.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
14.0.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
16.0.idmans.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
16.0.idmans.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
16.0.idmans.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.0.idmans.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaf8:$a1: Remcos restarted by watchdog! 0x6b070:$a3: %02i:%02i:%02i:%03i
16.0.idmans.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64d94:$str_a1: C:\Windows\System32\cmd.exe 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64e04:$str_b2: Executing file: 0x65c3c:$str_b3: GetDirectListeningPort 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65780:$str_b7: \update.vbs 0x64e2c:$str_b9: Downloaded file: 0x64e18:$str_b10: Downloading file: 0x64ebc:$str_b12: Failed to upload file: 0x65c04:$str_b13: StartForward 0x65c24:$str_b14: StopForward 0x656d8:$str_b15: fso.DeleteFile " 0x6566c:$str_b16: On Error Resume Next 0x65708:$str_b17: fso.DeleteFolder " 0x64eac:$str_b18: Uploaded file: 0x64e6c:$str_b19: Unable to delete: 0x656a0:$str_b20: while fso.FileExists(" 0x65349:$str_c0: [Firefox StoredLogins not found]
16.0.idmans.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x64c80:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x64c10:$s1: CoGetObject 0x64c24:$s1: CoGetObject 0x64c40:$s1: CoGetObject 0x6e870:$s1: CoGetObject 0x64bd0:$s2: Elevation:Administrator!new:
0.2.5uVReRlvME.exe.d00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.9f0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
33.2.20da271f67.exe.290000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.20da271f67.exe.290000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
33.2.20da271f67.exe.290000.0.unpack	infostealer_win_stealc	Find standalone Stealc sample based on decryption routine or characteristic strings	Sekoia.io	0x34458:$str01: ------ 0x3446e:$str01: ------ 0x8cd3e:$str01: ------ 0x8dd3e:$str01: ------ 0x8ed3e:$str01: ------ 0x8fd3e:$str01: ------ 0x90d3e:$str01: ------ 0x91d3e:$str01: ------ 0x92d3e:$str01: ------ 0x93d3e:$str01: ------ 0x94d3e:$str01: ------ 0x95d3e:$str01: ------ 0x96d3e:$str01: ------ 0x9bd3e:$str01: ------ 0x9cd3e:$str01: ------ 0x9cda4:$str01: ------ 0x9dda4:$str01: ------ 0x9eda4:$str01: ------ 0x9fda4:$str01: ------ 0xa0da4:$str01: ------ 0xa1d3e:$str01: ------
33.2.20da271f67.exe.290000.0.unpack	infostealer_win_stealc_str_oct24	Finds Stealc standalone samples (or dumps) based on the strings	Sekoia.io	0x347d8:$str01: -nop -c "iex(New-Object Net.WebClient).DownloadString( 0x34930:$str02: Azure\.IdentityService 0x34954:$str03: steam_tokens.txt 0x345e8:$str04: "encrypted_key":" 0x34710:$str05: prefs.js 0x34788:$str06: browser: FileZilla 0x3479c:$str07: profile: null 0x347ac:$str08: url: 0x347b4:$str09: login: 0x347bc:$str10: password:
Click to see the 73 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c36de44bba.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe, ParentProcessId: 5288, ParentProcessName: da7b434153.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', ProcessId: 2056, ProcessName: powershell.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe, ParentProcessId: 6608, ParentProcessName: 20da271f67.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 8072, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ProcessId: 7780, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c36de44bba.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\idmans\idmans.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, ProcessId: 5544, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\idmans-KXQ59W

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe, ParentProcessId: 5288, ParentProcessName: da7b434153.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx', ProcessId: 2056, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3872, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5uVReRlvME.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://prisonyfork.buzz/api	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apiH	Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllL	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/api6p	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apioqj	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/buS	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1308970
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: HEUR/AGEN.1309903
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\ProgramData\idmans\idmans.exe	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001E.00000002.3475963154.000000000126F000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199724331900"]}
Source: 13.0.idmans.exe.400000.0.unpack	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["casino.ddnss.de:2403:1"], "Assigned name": "idmans", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "idmans.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "idmans-KXQ59W", "Keylog flag": "2", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "idmans", "Keylog folder": "idman"}
Source: 28.2.72573a0b5a.exe.438cf38.1.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "sustainskelet.lat", "rapeflowwj.lat", "aspecteirs.lat", "grannyejh.lat", "energyaffai.lat", "crosshuaht.lat", "discokeyus.lat"], "Build id": "7uZzAf--"}
Source: 33.2.20da271f67.exe.290000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\idmans\idmans.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe (copy)	ReversingLabs: Detection: 86%
Source: C:\zrjmnqcrx\gretsylgaw_638708682569357197.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: 5uVReRlvME.exe	Virustotal: Detection: 70%			Perma Link
Source: 5uVReRlvME.exe	ReversingLabs: Detection: 71%

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\idmans\idmans.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5uVReRlvME.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 185.215.113.43
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: abc3bc1985
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: skotes.exe
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Startup
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: rundll32
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Programs
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: http://
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: https://
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /quiet
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: &unit=
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Norton
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Sophos
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Comodo
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ------
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: VideoID
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ProductName
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: " && ren
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: random
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 7uZzAf--
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 07
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 01
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 20
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 25
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetProcAddress
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: LoadLibraryA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: lstrcatA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: OpenEventA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateEventA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CloseHandle
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Sleep
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: VirtualFree
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetSystemInfo
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: VirtualAlloc
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HeapAlloc
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetComputerNameA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: lstrcpyA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetProcessHeap
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetCurrentProcess
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: lstrlenA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ExitProcess
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetSystemTime
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: advapi32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: gdi32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: user32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: crypt32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetUserNameA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateDCA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetDeviceCaps
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ReleaseDC
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sscanf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: VMwareVMware
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HAL9TH
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: JohnDoe
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DISPLAY
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: http://185.215.113.206
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: /c4becf79229cb002.php
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: /68b591d6548ec281/
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: stok
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetFileAttributesA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HeapFree
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetFileSize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GlobalSize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: IsWow64Process
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Process32Next
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetLocalTime
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: FreeLibrary
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetVolumeInformationA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Process32First
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetLocaleInfoA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetModuleFileNameA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DeleteFileA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: FindNextFileA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: LocalFree
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: FindClose
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: LocalAlloc
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetFileSizeEx
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ReadFile
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SetFilePointer
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: WriteFile
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateFileA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: FindFirstFileA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CopyFileA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: VirtualProtect
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetLastError
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: lstrcpynA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: MultiByteToWideChar
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GlobalFree
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: WideCharToMultiByte
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GlobalAlloc
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: OpenProcess
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: TerminateProcess
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetCurrentProcessId
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: gdiplus.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ole32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: bcrypt.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: wininet.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: shlwapi.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: shell32.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: rstrtmgr.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SelectObject
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BitBlt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DeleteObject
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateCompatibleDC
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdiplusStartup
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdiplusShutdown
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipDisposeImage
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GdipFree
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CoUninitialize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CoInitialize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CoCreateInstance
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptDecrypt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptSetProperty
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptDestroyKey
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetWindowRect
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetDesktopWindow
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetDC
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CloseWindow
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: wsprintfA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CharToOemW
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: wsprintfW
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RegQueryValueExA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RegEnumKeyExA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RegOpenKeyExA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RegCloseKey
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RegEnumValueA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CryptUnprotectData
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SHGetFolderPathA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ShellExecuteExA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: InternetOpenUrlA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: InternetConnectA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: InternetCloseHandle
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HttpSendRequestA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HttpOpenRequestA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: InternetReadFile
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: InternetCrackUrlA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: StrCmpCA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: StrStrA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: StrCmpCW
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PathMatchSpecA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RmStartSession
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RmRegisterResources
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RmGetList
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: RmEndSession
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_open
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_step
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_column_text
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_finalize
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_close
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3_column_blob
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: encrypted_key
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PATH
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: NSS_Init
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: NSS_Shutdown
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PK11_FreeSlot
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PK11_Authenticate
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: C:\ProgramData\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: browser:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: profile:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: url:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: login:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: password:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Opera
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: OperaGX
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Network
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: cookies
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: .txt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: TRUE
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: FALSE
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: autofill
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: history
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: cc
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: name:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: month:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: year:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: card:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Cookies
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Login Data
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Web Data
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: History
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: logins.json
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: formSubmitURL
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: usernameField
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: encryptedUsername
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: encryptedPassword
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: guid
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: cookies.sqlite
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: formhistory.sqlite
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: places.sqlite
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: plugins
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Local Extension Settings
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Sync Extension Settings
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: IndexedDB
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Opera Stable
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Opera GX Stable
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: CURRENT
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: chrome-extension_
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Local State
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: profiles.ini
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: chrome
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: opera
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: firefox
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: wallets
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ProductName
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: x32
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: x64
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DisplayName
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DisplayVersion
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Network Info:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - IP: IP?
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Country: ISO?
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: System Summary:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - HWID:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - OS:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Architecture:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - UserName:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Computer Name:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Local Time:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - UTC:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Language:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Keyboards:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Laptop:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Running Path:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - CPU:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Threads:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Cores:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - RAM:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - Display Resolution:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: - GPU:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: User Agents:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Installed Apps:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: All Users:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Current User:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Process List:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: system_info.txt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: freebl3.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: mozglue.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: msvcp140.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: nss3.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: softokn3.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: vcruntime140.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Temp\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: .exe
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: runas
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: open
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: /c start
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %DESKTOP%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %APPDATA%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %USERPROFILE%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %DOCUMENTS%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: %RECENT%
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: *.lnk
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: files
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \discord\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Telegram Desktop\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: key_datas
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: map*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Telegram
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Tox
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: *.tox
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: *.ini
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Password
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 00000001
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 00000002
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 00000003
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: 00000004
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Pidgin
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \.purple\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: accounts.xml
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: token:
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Software\Valve\Steam
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: SteamPath
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \config\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ssfn*
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: config.vdf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DialogConfig.vdf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: libraryfolders.vdf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: loginusers.vdf
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Steam\
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: sqlite3.dll
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: done
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: soft
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: https
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: POST
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: HTTP/1.1
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: hwid
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: build
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: token
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: file_name
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: file
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: message
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 33.2.20da271f67.exe.290000.0.unpack	String decryptor: screenshot.jpg

Source: vncgroups.exe, 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_13348685-6

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=f4ab0f7633.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=f4ab0f7633.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: 5uVReRlvME.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: mozglue.pdbP source: 20da271f67.exe, 00000021.00000002.4288328107.000000006B8BD000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: wextract.pdb source: 557d4db723.exe, 00000013.00000000.3110043270.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp, 557d4db723.exe, 00000013.00000002.3894595130.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: nss3.pdb@ source: 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: wextract.pdbGCTL source: 557d4db723.exe, 00000013.00000000.3110043270.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp, 557d4db723.exe, 00000013.00000002.3894595130.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: app_mobySetup.pdb source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075540000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3753340949.000002307DE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: skotes.exe, 00000006.00000003.3251127501.0000000005739000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3617367290.0000000005748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3628582558.0000000005749000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3251067599.0000000005730000.00000004.00000020.00020000.00000000.sdmp, da7b434153.exe, 00000018.00000000.3250997932.0000000000A72000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075540000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3753340949.000002307DE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: 72573a0b5a.exe, 0000001C.00000002.3483527164.0000000005850000.00000004.08000000.00040000.00000000.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdbd- source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: ac8336f967.exe, 0000000B.00000003.4014006620.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000002.4261153064.0000000000E0C000.00000002.00000001.01000000.0000000B.sdmp, ac8336f967.exe, 0000000B.00000000.2539132091.0000000000E0C000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 20da271f67.exe, 00000021.00000002.4288328107.000000006B8BD000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: protobuf-net.pdb source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\xevoEHqwR.pdb source: 72573a0b5a.exe, 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001C.00000002.3483990002.00000000059C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdb source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Code function: 7_2_007B0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

7_2_007B0DA9

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199724331900
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: casino.ddnss.de

Yara detected Generic Downloader

Source: Yara match	File source: 28.0.72573a0b5a.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.409b8f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 23.218.208.109 23.218.208.109

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Code function: 0_2_00D0E0C0 recv,recv,recv,recv,

0_2_00D0E0C0

Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=064ccba9105a04f9efce4956; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 27 Dec 2024 08:50:56 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Controli equals www.youtube.com (Youtube)
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://.css
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://.jpg
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empDU
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empUU_
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: ec6b49ebff.exe, 00000012.00000002.4370224947.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/key
Source: ec6b49ebff.exe, 00000012.00000002.4370224947.00000000055E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/keyF
Source: ec6b49ebff.exe, 00000012.00000003.3869239055.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3745732154.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040573070.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783474559.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3681536119.000000000598B000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3821253818.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3954069565.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3908359304.000000000598E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/fil=
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3606508321.000000000598B000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040382557.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: ec6b49ebff.exe, 00000012.00000003.3644064053.000000000598B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download5
Source: ec6b49ebff.exe, 00000012.00000003.3563634579.000000000598B000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3524260301.000000000598B000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3606508321.000000000598B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadI
Source: ec6b49ebff.exe, 00000012.00000003.3606508321.000000000598B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadQ
Source: ec6b49ebff.exe, 00000012.00000003.3975746546.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3821411664.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3908507686.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783610230.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3975487571.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3869756780.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadarse-
Source: ec6b49ebff.exe, 00000012.00000003.3821411664.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783610230.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadhtml
Source: ec6b49ebff.exe, 00000012.00000003.3975746546.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3746161030.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3821411664.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3908507686.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783610230.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3975487571.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3869756780.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadxt/h
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/;e
Source: c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Vd
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeP
Source: c36de44bba.exe, 00000027.00000003.4255554330.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exed
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4255554330.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeo
Source: c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeuj
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp, 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllL
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll=
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllv
Source: 20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp, 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpB
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpHJJJ.exe.
Source: 20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpV
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpinit.exe
Source: 20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpp3
Source: 20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
Source: 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://185.215.113.206Local
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://185.215.113.206c4becf79229cb002.phprofiles
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000003.3617367290.0000000005748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3628582558.0000000005749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUsers
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php~
Source: InstallUtil.exe, 00000022.00000002.3685310282.00000160A98CF000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000022.00000002.3685310282.00000160A9913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.89.196.115/core/createSession
Source: InstallUtil.exe, 00000022.00000002.3685310282.00000160A9913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.89.196.115/core/sendPart
Source: InstallUtil.exe, 00000022.00000002.3685310282.00000160A9930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.89.196.115/core/sendPart.eXB
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/contact/postalCode/businessDhttp://axschema.org/contact/IM/AIMDhttp://axschema.o
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 4c60777cc9.exe, 00000017.00000003.3557065060.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588051130.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: c36de44bba.exe, 0000001F.00000003.3513840010.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3604236816.0000000000B61000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3603941130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
Source: vncgroups.exe, 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, vncgroups.exe, 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, vncgroups.exe, 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, idmans.exe, 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, idmans.exe, 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: a82132a0ca.exe, 0000000F.00000003.2957475409.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3148462732.0000000001D1E000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2943177444.0000000001D0E000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2943019896.0000000001D08000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2942639762.0000000001D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: a82132a0ca.exe, 0000000F.00000003.2953144035.0000000001CB2000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3122052257.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: a82132a0ca.exe, 0000000F.00000003.2953144035.0000000001CB2000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3122052257.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: a82132a0ca.exe, 0000000F.00000003.2953144035.0000000001CB2000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3122052257.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: soonmaintain.exe, 00000014.00000000.3135839571.0000023063672000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://namespace.google.com/openid/xmlns
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/extensions/sreg/1.1
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/extensions/sreg/1.14http://openid.net/sreg/1.04http://openid.net/sreg/1.1
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/signon/1.1
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/sreg/1.05http://openid.net/sreg/1.1
Source: 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/srv/ax/1.0
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://openid.net/xmlns/1.09http://openid.net/signon/1.0
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/none
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.openid.net/pape/policies/2007/06/phishing-resistantxhttp://schemas.openid.net/pape/po
Source: soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0$dnoa.request_nonce
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/auth/2.0/signonOhttp://specs.openid.net/auth/2.0/serverehttp://specs.openid.
Source: 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/oauth/1.0
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/pape/1.0
Source: 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/icon
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0/mode/popup
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0ghttp://specs.openid.net/extensions/ui/1.0/lang-pref
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/1.0hhttp://specs.openid.net/extensions/ui/1.0/mode/popupfhttp:
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://specs.openid.net/extensions/ui/icon
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: ec6b49ebff.exe, 00000012.00000003.4041787323.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040382557.000000000569C000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040481289.0000000005640000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040629240.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042009859.0000000005A51000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4043208613.00000000059E8000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042566515.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040972115.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040269564.000000000598F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000133000.00000040.00000001.01000000.0000001A.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000298000.00000040.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000133000.00000040.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf
Source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfthttp://www.idmanagement.gov/
Source: 20da271f67.exe, 00000021.00000002.4288328107.000000006B8BD000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287714515.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: gretsylgaw_638708682569357197.exe, 00000020.00000003.3604381039.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3633733219.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3603941130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/
Source: gretsylgaw_638708682569357197.exe, 00000020.00000003.3604381039.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3633733219.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3632510363.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3603941130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/api
Source: gretsylgaw_638708682569357197.exe, 00000020.00000003.3604381039.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3633733219.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3603941130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crownybusher.click/apiOE
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ac8336f967.exe, 0000000B.00000002.4263396767.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/
Source: ac8336f967.exe, 0000000B.00000003.4232845132.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4234774124.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/P
Source: ac8336f967.exe, 0000000B.00000003.4103812095.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4107257140.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/YYbM
Source: ac8336f967.exe, 0000000B.00000002.4262996018.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000002.4263235552.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4232375937.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4103209876.0000000003B5E000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4235528659.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4171205739.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4236717019.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4171472462.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/api
Source: ac8336f967.exe, 0000000B.00000003.4232375937.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4235528659.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202656457.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202417826.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apia
Source: ac8336f967.exe, 0000000B.00000003.4171205739.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4171472462.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apiob
Source: ac8336f967.exe, 0000000B.00000003.4232375937.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4235528659.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202656457.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202417826.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apip
Source: ac8336f967.exe, 0000000B.00000003.4232375937.0000000003B62000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4235528659.0000000003B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/apiw2
Source: ac8336f967.exe, 0000000B.00000003.4232845132.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4234774124.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/p
Source: ac8336f967.exe, 0000000B.00000003.4202887159.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click/s
Source: ac8336f967.exe, 0000000B.00000003.4134263076.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fieldhitty.click:443/api
Source: ec6b49ebff.exe, 00000012.00000003.4041787323.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040382557.000000000569C000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040481289.0000000005640000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040629240.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042009859.0000000005A51000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4043208613.00000000059E8000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042566515.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040972115.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040269564.000000000598F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: skotes.exe, 00000006.00000003.3251127501.0000000005739000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3617367290.0000000005748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3628582558.0000000005749000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3251067599.0000000005730000.00000004.00000020.00020000.00000000.sdmp, da7b434153.exe, 00000018.00000000.3250997932.0000000000A72000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/ktiwpptkkmgmawd.exe
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: skotes.exe, 00000006.00000003.2603551440.000000000571A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tienda4/musical/raw/refs/heads/main/vncgroups.exe
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: ec6b49ebff.exe, 00000012.00000003.4041787323.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040382557.000000000569C000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040481289.0000000005640000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040629240.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042009859.0000000005A51000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4043208613.00000000059E8000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4042566515.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040972115.000000000598F000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040269564.000000000598F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3514483976.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3517889204.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3518238968.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000023.00000002.3738851983.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4100349907.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: c36de44bba.exe, 00000023.00000002.3738851983.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/Y
Source: c36de44bba.exe, 00000027.00000003.4100349907.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: c36de44bba.exe, 00000023.00000002.3738851983.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiSi
Source: c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3514483976.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3518238968.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apiZ
Source: c36de44bba.exe, 0000001F.00000003.3514483976.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3518238968.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/apir
Source: c36de44bba.exe, 00000027.00000003.4062769048.00000000013E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/e
Source: c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3514483976.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3518238968.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000023.00000002.3738851983.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/pi
Source: c36de44bba.exe, 00000027.00000003.4062769048.00000000013E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/s
Source: c36de44bba.exe, 00000023.00000002.3738851983.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: a762d7e2e8.exe, 00000009.00000003.2663518824.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2625240678.0000000003440000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2581349627.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2576555032.000000000343B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2605987447.0000000003440000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606051358.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689356196.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663803632.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606272422.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: a762d7e2e8.exe, 00000009.00000003.2581436155.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2549775031.0000000003438000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2610159743.0000000000E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: a762d7e2e8.exe, 00000009.00000003.2581308378.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606051358.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2581436155.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api6p
Source: a762d7e2e8.exe, 00000009.00000003.2687257225.0000000000E62000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663803632.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689411306.0000000000E64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiH
Source: a762d7e2e8.exe, 00000009.00000003.2663518824.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api_
Source: a762d7e2e8.exe, 00000009.00000003.2606051358.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apicess
Source: a762d7e2e8.exe, 00000009.00000003.2626958053.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2610159743.0000000000E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apidqa
Source: a762d7e2e8.exe, 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687318498.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apioqj
Source: a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/b
Source: a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663518824.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/bu
Source: a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663518824.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/buS
Source: a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/buwllg
Source: a762d7e2e8.exe, 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687318498.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/o
Source: a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/pi
Source: a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/piZ
Source: a762d7e2e8.exe, 00000009.00000003.2663540840.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687113792.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689282337.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2581349627.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663540840.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apiefault-release/key4.dbPK
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 4c60777cc9.exe, 00000017.00000002.3622631028.0000000003362000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3411143099.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/
Source: 4c60777cc9.exe, 00000017.00000003.3614202103.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3614156408.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588339020.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000002.3622631028.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/6
Source: 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3535105333.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3536009791.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/Y
Source: 4c60777cc9.exe, 00000017.00000002.3621820924.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000002.3622030222.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3554641473.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/api
Source: 4c60777cc9.exe, 00000017.00000003.3588051130.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000002.3622030222.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3535945056.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3557022262.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3537884834.0000000000DFD000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529481723.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/api/1
Source: 4c60777cc9.exe, 00000017.00000002.3622030222.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3554641473.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/apiF9
Source: 4c60777cc9.exe, 00000017.00000003.3557065060.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/apibu
Source: 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3535105333.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3536009791.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/s
Source: 4c60777cc9.exe, 00000017.00000003.3529592005.0000000003360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/t
Source: 4c60777cc9.exe, 00000017.00000003.3613708713.0000000003364000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3556888068.0000000003359000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588339020.0000000003360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz:443/api
Source: 4c60777cc9.exe, 00000017.00000003.3613708713.0000000003364000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529592005.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3486678069.0000000003355000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3556888068.0000000003359000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3487108704.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588339020.0000000003360000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz:443/api8ZvdX5
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/%
Source: skotes.exe, 00000006.00000003.2603439559.000000000075B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2603439559.0000000000757000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2636727447.0000000000750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/tienda4/musical/refs/heads/main/vncgroups.exe
Source: skotes.exe, 00000006.00000003.2603439559.000000000075B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/tienda4/musical/refs/heads/main/vncgroups.exeoj=
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/of
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000126F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900j
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: 72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: a762d7e2e8.exe, 00000009.00000003.2501106604.00000000034D5000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067812732.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352118989.00000000033F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 4c60777cc9.exe, 00000017.00000003.3454565026.000000000346F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: a762d7e2e8.exe, 00000009.00000003.2501208708.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2501433629.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2501106604.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2526177545.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2525750605.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2525968134.0000000003487000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4068808777.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067812732.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380526621.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352118989.00000000033F3000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352307680.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380897204.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380757829.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3853216782.00000000056A0000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp, c36de44bba.exe, 00000027.00000003.3936831059.0000000005B47000.00000004.00000800.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3907109161.0000000005B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: a762d7e2e8.exe, 00000009.00000003.2501208708.0000000003462000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4068808777.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352307680.0000000003382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: a762d7e2e8.exe, 00000009.00000003.2501208708.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2501433629.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2501106604.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2526177545.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2525750605.0000000003487000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2525968134.0000000003487000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4068808777.0000000003BA8000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067812732.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380526621.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352118989.00000000033F3000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352307680.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380897204.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380757829.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3853216782.00000000056A0000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp, c36de44bba.exe, 00000027.00000003.3936831059.0000000005B47000.00000004.00000800.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3907109161.0000000005B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: a762d7e2e8.exe, 00000009.00000003.2501208708.0000000003462000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4068808777.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352307680.0000000003382000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/about/DBKJKFHIECBAt.exe
Source: 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: a762d7e2e8.exe, 00000009.00000003.2553112387.000000000355D000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4143045210.0000000003C77000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3454565026.000000000346F000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: a762d7e2e8.exe, 00000009.00000003.2553112387.000000000355D000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4143045210.0000000003C77000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3454565026.000000000346F000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.4135248252.000000000B93E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 20da271f67.exe, 00000021.00000002.4260726771.000000000035C000.00000040.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: soonmaintain.exe, 00000014.00000000.3135839571.0000023063672000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: soonmaintain.exe, 00000014.00000000.3135839571.0000023063672000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: 1b18db46b2.exe, 00000024.00000002.3923018472.00000000014C1000.00000004.00000020.00020000.00000000.sdmp, 1b18db46b2.exe, 00000024.00000002.3940174084.0000000001691000.00000004.00000020.00020000.00000000.sdmp, 1b18db46b2.exe, 00000024.00000003.3838786667.0000000001681000.00000004.00000020.00020000.00000000.sdmp, 1b18db46b2.exe, 00000024.00000003.3832262938.0000000001357000.00000004.00000020.00020000.00000000.sdmp, 1b18db46b2.exe, 00000024.00000003.3843226615.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Find standalone Stealc sample based on decryption routine or characteristic strings Author: Sekoia.io
Source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.4357723733.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.4358748739.0000000000ED8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 1b18db46b2.exe, 00000024.00000002.3909276728.0000000000932000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_4f19f8ff-a
Source: 1b18db46b2.exe, 00000024.00000002.3909276728.0000000000932000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_13a623e1-1

PE file contains section with special chars

Source: 5uVReRlvME.exe	Static PE information: section name:
Source: 5uVReRlvME.exe	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: a82132a0ca.exe.6.dr	Static PE information: section name:
Source: a82132a0ca.exe.6.dr	Static PE information: section name: .idata
Source: a82132a0ca.exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: ec6b49ebff.exe.6.dr	Static PE information: section name:
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: .idata
Source: ec6b49ebff.exe.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: .idata
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: c36de44bba.exe.6.dr	Static PE information: section name:
Source: c36de44bba.exe.6.dr	Static PE information: section name: .idata
Source: c36de44bba.exe.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name: .idata
Source: 20da271f67.exe.6.dr	Static PE information: section name:
Source: 20da271f67.exe.6.dr	Static PE information: section name: .idata
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name: .idata
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name:
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\5uVReRlvME.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D478BB	0_2_00D478BB
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D47049	0_2_00D47049
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D48860	0_2_00D48860
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D431A8	0_2_00D431A8
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00E18101	0_2_00E18101
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00E17B6E	0_2_00E17B6E
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D04B30	0_2_00D04B30
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D04DE0	0_2_00D04DE0
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D42D10	0_2_00D42D10
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D4779B	0_2_00D4779B
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D37F36	0_2_00D37F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A378BB	1_2_00A378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A38860	1_2_00A38860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A37049	1_2_00A37049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A331A8	1_2_00A331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_009F4B30	1_2_009F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_009F4DE0	1_2_009F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A32D10	1_2_00A32D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A3779B	1_2_00A3779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A27F36	1_2_00A27F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A378BB	2_2_00A378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A38860	2_2_00A38860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A37049	2_2_00A37049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A331A8	2_2_00A331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009F4B30	2_2_009F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_009F4DE0	2_2_009F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A32D10	2_2_00A32D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A3779B	2_2_00A3779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A27F36	2_2_00A27F36
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_00791000	7_2_00791000
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_0079E094	7_2_0079E094
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007B6102	7_2_007B6102
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007A2AA1	7_2_007A2AA1
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007B43FF	7_2_007B43FF
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007A8D90	7_2_007A8D90
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007A3EA0	7_2_007A3EA0
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 9_3_00E7D15F	9_3_00E7D15F

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 0079E5A0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7A27B appears 56 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74F63 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74FFB appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7569B appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E79DAB appears 56 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7D8AF appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74D03 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74F47 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74FDF appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74C6B appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E75553 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7A3F3 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E75683 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74CE7 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74C4F appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7879B appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E75093 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E74F7B appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E75657 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E7A103 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: String function: 00E75667 appears 42 times
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: String function: 00D180C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A0DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: String function: 00A080C0 appears 260 times

Source: random[2].exe0.6.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression
Source: 557d4db723.exe.6.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2125147 bytes, 2 files, at 0x2c +A "soonmaiintain.exe" +A "soonmaintain.exe", ID 3433, number 1, 101 datablocks, 0x1503 compression

Source: 5uVReRlvME.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc author = Sekoia.io, description = Find standalone Stealc sample based on decryption routine or characteristic strings, creation_date = 2023-02-12, classification = TLP:CLEAR, version = 1.0, id = aa78772e-9b31-40f3-84f4-b8302ea63a28
Source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.4357723733.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.4358748739.0000000000ED8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\ProgramData\idmans\idmans.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: random[3].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 72573a0b5a.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: random[1].exe.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: a762d7e2e8.exe.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003244500411184
Source: random[1].exe1.6.dr	Static PE information: Section: sqttxtfh ZLIB complexity 0.9945883961905421
Source: a82132a0ca.exe.6.dr	Static PE information: Section: sqttxtfh ZLIB complexity 0.9945883961905421
Source: random[2].exe.6.dr	Static PE information: Section: qvetuklh ZLIB complexity 0.9898921537706756
Source: ec6b49ebff.exe.6.dr	Static PE information: Section: qvetuklh ZLIB complexity 0.9898921537706756
Source: random[1].exe2.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003372061965812
Source: 4c60777cc9.exe.6.dr	Static PE information: Section: .bss ZLIB complexity 1.0003372061965812
Source: random[3].exe0.6.dr	Static PE information: Section: ZLIB complexity 0.9996042687908496
Source: random[3].exe0.6.dr	Static PE information: Section: ebdcmeyg ZLIB complexity 0.994704060515573
Source: c36de44bba.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9996042687908496
Source: c36de44bba.exe.6.dr	Static PE information: Section: ebdcmeyg ZLIB complexity 0.994704060515573

Source: da7b434153.exe.6.dr, Programm.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: da7b434153.exe.6.dr, Programm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: random[2].exe1.6.dr, Programm.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: random[2].exe1.6.dr, Programm.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.adwa.spyw.expl.evad.winEXE@90/64@0/25

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\ProgramData\idmans\idmans.exe	Mutant created: \Sessions\1\BaseNamedObjects\idmans-KXQ59W
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\3ceee625-5df7-4df1-9884-bc7a8a2fe79b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03

Source: C:\Users\user\Desktop\5uVReRlvME.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe

System information queried: HandleInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "u-eng.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\5uVReRlvME.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: a762d7e2e8.exe, 00000009.00000003.2500878849.0000000003466000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2525817420.0000000003448000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4103812095.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3380636307.000000000336A000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3864289435.0000000005698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 20da271f67.exe, 00000021.00000002.4280097741.00000000057E5000.00000004.00000020.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4287481167.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 5uVReRlvME.exe	Virustotal: Detection: 70%
Source: 5uVReRlvME.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\5uVReRlvME.exe

File read: C:\Users\user\Desktop\5uVReRlvME.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5uVReRlvME.exe "C:\Users\user\Desktop\5uVReRlvME.exe"
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe "C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe "C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe"
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: unknown	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe "C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe"
Source: unknown	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: unknown	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe "C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe "C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe"
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe "C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe "C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe"
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2240,i,11010108224617170616,3557015706047403577,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe "C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe"
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe "C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe "C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe "C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe "C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe "C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe "C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe "C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe "C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe"
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2240,i,11010108224617170616,3557015706047403577,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: winmm.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: wininet.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: netutils.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: winmm.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: wininet.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: netutils.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: winmm.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: wininet.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: netutils.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: winmm.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: wininet.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: netutils.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\idmans\idmans.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: advpack.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: mscorjit.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: 5uVReRlvME.exe

Static file information: File size 3282944 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 5uVReRlvME.exe

Static PE information: Raw size of gvvbyobv is bigger than: 0x100000 < 0x2b5a00

Source:	Binary string: mozglue.pdbP source: 20da271f67.exe, 00000021.00000002.4288328107.000000006B8BD000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: wextract.pdb source: 557d4db723.exe, 00000013.00000000.3110043270.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp, 557d4db723.exe, 00000013.00000002.3894595130.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: nss3.pdb@ source: 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: wextract.pdbGCTL source: 557d4db723.exe, 00000013.00000000.3110043270.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp, 557d4db723.exe, 00000013.00000002.3894595130.00007FF6F8CF9000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: app_mobySetup.pdb source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075540000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3753340949.000002307DE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: skotes.exe, 00000006.00000003.3251127501.0000000005739000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3617367290.0000000005748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3628582558.0000000005749000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3251067599.0000000005730000.00000004.00000020.00020000.00000000.sdmp, da7b434153.exe, 00000018.00000000.3250997932.0000000000A72000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075540000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3753340949.000002307DE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: 72573a0b5a.exe, 0000001C.00000002.3483527164.0000000005850000.00000004.08000000.00040000.00000000.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdbd- source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: 20da271f67.exe, 00000021.00000002.4289395956.000000006BA7F000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Admin\Workspace\1766103906\Project\Release\Project.pdb source: ac8336f967.exe, 0000000B.00000003.4014006620.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000002.4261153064.0000000000E0C000.00000002.00000001.01000000.0000000B.sdmp, ac8336f967.exe, 0000000B.00000000.2539132091.0000000000E0C000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: mozglue.pdb source: 20da271f67.exe, 00000021.00000002.4288328107.000000006B8BD000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: protobuf-net.pdb source: soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\xevoEHqwR.pdb source: 72573a0b5a.exe, 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001C.00000002.3483990002.00000000059C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\BuildAgent\work\6fe1ab573d75f9ba\src\DotNetOpenAuth.OpenId\obj\v4.0\Release\DotNetOpenAuth.OpenId.pdb source: 72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Unpacked PE file: 0.2.5uVReRlvME.exe.d00000.0.unpack :EW;.rsrc:W;.idata :W;gvvbyobv:EW;brrunild:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;gvvbyobv:EW;brrunild:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.9f0000.0.unpack :EW;.rsrc:W;.idata :W;gvvbyobv:EW;brrunild:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;gvvbyobv:EW;brrunild:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Unpacked PE file: 15.2.a82132a0ca.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sqttxtfh:EW;byszctih:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sqttxtfh:EW;byszctih:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Unpacked PE file: 18.2.ec6b49ebff.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qvetuklh:EW;wtstibuo:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Unpacked PE file: 31.2.c36de44bba.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ebdcmeyg:EW;cwlbrkyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ebdcmeyg:EW;cwlbrkyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe	Unpacked PE file: 32.2.gretsylgaw_638708682569357197.exe.e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Unpacked PE file: 33.2.20da271f67.exe.290000.0.unpack :EW;.rsrc:W;.idata :W;gngdpjhn:EW;poaqzqjh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;gngdpjhn:EW;poaqzqjh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Unpacked PE file: 35.2.c36de44bba.exe.850000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ebdcmeyg:EW;cwlbrkyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ebdcmeyg:EW;cwlbrkyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Unpacked PE file: 51.2.a0f4fa9b49.exe.a30000.0.unpack :EW;.rsrc:W;.idata :W;nrnabjtb:EW;ogfktabi:EW;.taggant:EW; vs :ER;.rsrc:W;

Yara detected Costura Assembly Loader

Source: Yara match	File source: 20.2.soonmaintain.exe.2307ddc0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3749941328.000002307DDC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: soonmaintain.exe PID: 2516, type: MEMORYSTR

Source: random[2].exe0.6.dr

Static PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: ec6b49ebff.exe.6.dr	Static PE information: real checksum: 0x1fbca4 should be: 0x1f5918
Source: 72573a0b5a.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x1ecc70
Source: random[4].exe0.6.dr	Static PE information: real checksum: 0x2bee33 should be: 0x2bad53
Source: a762d7e2e8.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x88ff0
Source: 4c60777cc9.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x84727
Source: random[1].exe2.6.dr	Static PE information: real checksum: 0x0 should be: 0x84727
Source: Bunifu_UI_v1.5.3.dll.18.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: 20da271f67.exe.6.dr	Static PE information: real checksum: 0x508069 should be: 0x5012bc
Source: random[3].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x1ecc70
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x32b96a should be: 0x3223a0
Source: random[2].exe2.6.dr	Static PE information: real checksum: 0x508069 should be: 0x5012bc
Source: vncgroups[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x7a1f4
Source: da7b434153.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x685e
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0x45f5d8 should be: 0x45aaa0
Source: 5uVReRlvME.exe	Static PE information: real checksum: 0x32b96a should be: 0x3223a0
Source: idmans.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x7a1f4
Source: random[3].exe0.6.dr	Static PE information: real checksum: 0x1d3abe should be: 0x1cdb38
Source: vncgroups.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x7a1f4
Source: random[2].exe1.6.dr	Static PE information: real checksum: 0x0 should be: 0x685e
Source: a82132a0ca.exe.6.dr	Static PE information: real checksum: 0x45f5d8 should be: 0x45aaa0
Source: dll[1].18.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x1fbca4 should be: 0x1f5918
Source: a0f4fa9b49.exe.6.dr	Static PE information: real checksum: 0x2bee33 should be: 0x2bad53
Source: c36de44bba.exe.6.dr	Static PE information: real checksum: 0x1d3abe should be: 0x1cdb38

Source: 5uVReRlvME.exe	Static PE information: section name:
Source: 5uVReRlvME.exe	Static PE information: section name: .idata
Source: 5uVReRlvME.exe	Static PE information: section name: gvvbyobv
Source: 5uVReRlvME.exe	Static PE information: section name: brrunild
Source: 5uVReRlvME.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name: gvvbyobv
Source: skotes.exe.0.dr	Static PE information: section name: brrunild
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe0.6.dr	Static PE information: section name: .fptable
Source: ac8336f967.exe.6.dr	Static PE information: section name: .fptable
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: sqttxtfh
Source: random[1].exe1.6.dr	Static PE information: section name: byszctih
Source: random[1].exe1.6.dr	Static PE information: section name: .taggant
Source: a82132a0ca.exe.6.dr	Static PE information: section name:
Source: a82132a0ca.exe.6.dr	Static PE information: section name: .idata
Source: a82132a0ca.exe.6.dr	Static PE information: section name:
Source: a82132a0ca.exe.6.dr	Static PE information: section name: sqttxtfh
Source: a82132a0ca.exe.6.dr	Static PE information: section name: byszctih
Source: a82132a0ca.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: qvetuklh
Source: random[2].exe.6.dr	Static PE information: section name: wtstibuo
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: ec6b49ebff.exe.6.dr	Static PE information: section name:
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: .idata
Source: ec6b49ebff.exe.6.dr	Static PE information: section name:
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: qvetuklh
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: wtstibuo
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: .taggant
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: .idata
Source: random[3].exe0.6.dr	Static PE information: section name:
Source: random[3].exe0.6.dr	Static PE information: section name: ebdcmeyg
Source: random[3].exe0.6.dr	Static PE information: section name: cwlbrkyq
Source: random[3].exe0.6.dr	Static PE information: section name: .taggant
Source: c36de44bba.exe.6.dr	Static PE information: section name:
Source: c36de44bba.exe.6.dr	Static PE information: section name: .idata
Source: c36de44bba.exe.6.dr	Static PE information: section name:
Source: c36de44bba.exe.6.dr	Static PE information: section name: ebdcmeyg
Source: c36de44bba.exe.6.dr	Static PE information: section name: cwlbrkyq
Source: c36de44bba.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe2.6.dr	Static PE information: section name:
Source: random[2].exe2.6.dr	Static PE information: section name: .idata
Source: random[2].exe2.6.dr	Static PE information: section name: gngdpjhn
Source: random[2].exe2.6.dr	Static PE information: section name: poaqzqjh
Source: random[2].exe2.6.dr	Static PE information: section name: .taggant
Source: 20da271f67.exe.6.dr	Static PE information: section name:
Source: 20da271f67.exe.6.dr	Static PE information: section name: .idata
Source: 20da271f67.exe.6.dr	Static PE information: section name: gngdpjhn
Source: 20da271f67.exe.6.dr	Static PE information: section name: poaqzqjh
Source: 20da271f67.exe.6.dr	Static PE information: section name: .taggant
Source: random[4].exe0.6.dr	Static PE information: section name:
Source: random[4].exe0.6.dr	Static PE information: section name: .idata
Source: random[4].exe0.6.dr	Static PE information: section name: nrnabjtb
Source: random[4].exe0.6.dr	Static PE information: section name: ogfktabi
Source: random[4].exe0.6.dr	Static PE information: section name: .taggant
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name:
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name: .idata
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name: nrnabjtb
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name: ogfktabi
Source: a0f4fa9b49.exe.6.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D1D91C push ecx; ret	0_2_00D1D92F
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D11359 push es; ret	0_2_00D1135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A0D91C push ecx; ret	1_2_00A0D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A0D91C push ecx; ret	2_2_00A0D92F
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_0079E75A push ecx; ret	7_2_0079E76D

Source: 5uVReRlvME.exe	Static PE information: section name: entropy: 7.129208139987393
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.129208139987393
Source: random[1].exe1.6.dr	Static PE information: section name: sqttxtfh entropy: 7.955283388143556
Source: a82132a0ca.exe.6.dr	Static PE information: section name: sqttxtfh entropy: 7.955283388143556
Source: random[2].exe.6.dr	Static PE information: section name: qvetuklh entropy: 7.9467355253335175
Source: ec6b49ebff.exe.6.dr	Static PE information: section name: qvetuklh entropy: 7.9467355253335175
Source: random[3].exe.6.dr	Static PE information: section name: .text entropy: 7.667674316543831
Source: 72573a0b5a.exe.6.dr	Static PE information: section name: .text entropy: 7.667674316543831
Source: random[3].exe0.6.dr	Static PE information: section name: entropy: 7.982518757512326
Source: random[3].exe0.6.dr	Static PE information: section name: ebdcmeyg entropy: 7.953945438795433
Source: c36de44bba.exe.6.dr	Static PE information: section name: entropy: 7.982518757512326
Source: c36de44bba.exe.6.dr	Static PE information: section name: ebdcmeyg entropy: 7.953945438795433

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	File created: C:\ProgramData\idmans\idmans.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	File created: C:\zrjmnqcrx\gretsylgaw_638708682569357197.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	File created: C:\Users\user\AppData\Local\Temp\dD03eDN3F3\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\5uVReRlvME.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	File created: C:\ProgramData\idmans\idmans.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dll[1]

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c36de44bba.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20da271f67.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0f4fa9b49.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b18db46b2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W

Drops PE files to the startup folder

Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe (copy)

Jump to dropped file

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\Desktop\5uVReRlvME.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c36de44bba.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c36de44bba.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20da271f67.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 20da271f67.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b18db46b2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b18db46b2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0f4fa9b49.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a0f4fa9b49.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\idmans\idmans.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\idmans\idmans.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-9714

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\5uVReRlvME.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: PROCMON.EXE
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: X64DBG.EXE
Source: soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: WINDBG.EXE
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFC98C second address: EFC9B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6EC8E0B1FEh 0x0000000f jo 00007F6EC8E0B1F6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFC9B2 second address: EFC9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFBE3B second address: EFBE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6EC8E0B1F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE40A second address: EFE415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE415 second address: EFE47D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov cx, D738h 0x0000000c push 00000000h 0x0000000e sbb dx, 60FFh 0x00000013 push FCD4E55Ch 0x00000018 jno 00007F6EC8E0B202h 0x0000001e add dword ptr [esp], 032B1B24h 0x00000025 jnl 00007F6EC8E0B1FCh 0x0000002b push 00000003h 0x0000002d jmp 00007F6EC8E0B1FAh 0x00000032 push 00000000h 0x00000034 mov ecx, dword ptr [ebp+122D3C38h] 0x0000003a push 00000003h 0x0000003c add ecx, dword ptr [ebp+122D2F2Bh] 0x00000042 push 7D9074DAh 0x00000047 je 00007F6EC8E0B215h 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE47D second address: EFE481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE481 second address: EFE4D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 426F8B26h 0x00000010 mov edx, 0D8EF071h 0x00000015 lea ebx, dword ptr [ebp+124632D3h] 0x0000001b mov dword ptr [ebp+122D2D5Fh], eax 0x00000021 xchg eax, ebx 0x00000022 push esi 0x00000023 push esi 0x00000024 jmp 00007F6EC8E0B200h 0x00000029 pop esi 0x0000002a pop esi 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jg 00007F6EC8E0B1F6h 0x00000035 jns 00007F6EC8E0B1F6h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE556 second address: EFE55A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE55A second address: EFE5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F6EC8E0B1F8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D27AAh], esi 0x0000002a or esi, dword ptr [ebp+122D3C14h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F6EC8E0B1F8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c push 45B93F24h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F6EC8E0B1FAh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE5CB second address: EFE5D5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6EC9226D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE5D5 second address: EFE647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 45B93FA4h 0x00000011 clc 0x00000012 cld 0x00000013 push 00000003h 0x00000015 pushad 0x00000016 call 00007F6EC8E0B1FDh 0x0000001b sbb ah, FFFFFFA3h 0x0000001e pop edx 0x0000001f movsx edi, si 0x00000022 popad 0x00000023 push 00000000h 0x00000025 stc 0x00000026 push 00000003h 0x00000028 push 5F5C1B74h 0x0000002d jmp 00007F6EC8E0B202h 0x00000032 add dword ptr [esp], 60A3E48Ch 0x00000039 pushad 0x0000003a push edx 0x0000003b sbb dx, 8D73h 0x00000040 pop edx 0x00000041 mov eax, 347BFCA7h 0x00000046 popad 0x00000047 mov dx, B612h 0x0000004b lea ebx, dword ptr [ebp+124632DCh] 0x00000051 mov edx, dword ptr [ebp+122D3D04h] 0x00000057 xchg eax, ebx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE647 second address: EFE64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE64B second address: EFE658 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE6C8 second address: EFE721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F6EC9226D88h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2C88h], edi 0x0000002c stc 0x0000002d push 00000000h 0x0000002f call 00007F6EC9226D89h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6EC9226D8Ah 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE721 second address: EFE728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EFE728 second address: EFE83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007F6EC9226DAAh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F6EC9226D93h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jno 00007F6EC9226D8Ah 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jnl 00007F6EC9226D9Ah 0x00000029 pop eax 0x0000002a mov di, E9B5h 0x0000002e push 00000003h 0x00000030 movsx edi, si 0x00000033 pushad 0x00000034 call 00007F6EC9226D93h 0x00000039 jnp 00007F6EC9226D86h 0x0000003f pop esi 0x00000040 push edx 0x00000041 add eax, dword ptr [ebp+122D27AAh] 0x00000047 pop ebx 0x00000048 popad 0x00000049 push 00000000h 0x0000004b jmp 00007F6EC9226D90h 0x00000050 push 00000003h 0x00000052 jmp 00007F6EC9226D91h 0x00000057 push 9E71AD91h 0x0000005c push edi 0x0000005d js 00007F6EC9226D9Fh 0x00000063 pop edi 0x00000064 add dword ptr [esp], 218E526Fh 0x0000006b adc dx, 27BEh 0x00000070 lea ebx, dword ptr [ebp+124632E7h] 0x00000076 movsx edx, di 0x00000079 xchg eax, ebx 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007F6EC9226D93h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1D7BA second address: F1D7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6EC8E0B1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1D7C4 second address: F1D7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E0D9 second address: F1E0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E0DD second address: F1E0E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E0E1 second address: F1E130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B209h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6EC8E0B202h 0x00000015 jmp 00007F6EC8E0B209h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E130 second address: F1E147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E147 second address: F1E14D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E572 second address: F1E585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6EC9226D86h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E585 second address: F1E58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E88E second address: F1E894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E9CE second address: F1E9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1E9D3 second address: F1E9D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1EB1D second address: F1EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1EB23 second address: F1EB35 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6EC9226D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F6EC9226D8Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1EB35 second address: F1EB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push esi 0x00000007 jmp 00007F6EC8E0B200h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1EB51 second address: F1EB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6EC9226D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1EB5B second address: F1EB61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F12C second address: F1F133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F133 second address: F1F13B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F13B second address: F1F13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F13F second address: F1F143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F3D8 second address: F1F3FF instructions: 0x00000000 rdtsc 0x00000002 je 00007F6EC9226D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6EC9226D99h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F3FF second address: F1F41C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6EC8E0B204h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F563 second address: F1F567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F567 second address: F1F56B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F56B second address: F1F589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 jne 00007F6EC9226DA1h 0x0000000f jmp 00007F6EC9226D8Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F8AE second address: F1F8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F8B2 second address: F1F8B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F8B8 second address: F1F8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B204h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F1F8D0 second address: F1F8FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6EC9226D86h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 js 00007F6EC9226D86h 0x00000019 jmp 00007F6EC9226D95h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2ADC3 second address: F2ADEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B209h 0x00000009 pop edx 0x0000000a jc 00007F6EC8E0B1FEh 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2ADEB second address: F2ADEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2ADEF second address: F2ADF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2ADF5 second address: F2ADFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2ADFB second address: F2ADFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2AF5A second address: F2AF96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Dh 0x00000007 js 00007F6EC9226D86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F6EC9226D99h 0x00000014 pop ebx 0x00000015 jne 00007F6EC9226D96h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2B0B8 second address: F2B0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B201h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2B0CF second address: F2B0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2B0D8 second address: F2B0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2B36D second address: F2B38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D98h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2B670 second address: F2B681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jl 00007F6EC8E0B1F8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D66E second address: F2D673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D673 second address: F2D6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 47549A32h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F6EC8E0B1F8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push edx 0x0000002b jmp 00007F6EC8E0B207h 0x00000030 pop edi 0x00000031 push 0B5BE464h 0x00000036 push eax 0x00000037 push edx 0x00000038 push edx 0x00000039 jmp 00007F6EC8E0B201h 0x0000003e pop edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D9E4 second address: F2D9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2DBFC second address: F2DC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2DC00 second address: F2DC18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2DC18 second address: F2DC1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2E355 second address: F2E375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6EC9226D86h 0x0000000a popad 0x0000000b pop edx 0x0000000c mov dword ptr [esp], ebx 0x0000000f jnl 00007F6EC9226D87h 0x00000015 cmc 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jnl 00007F6EC9226D86h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2E7C5 second address: F2E7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2E93F second address: F2E94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6EC9226D86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2F87E second address: F2F919 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6EC8E0B206h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F6EC8E0B1F8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push eax 0x0000002a mov esi, dword ptr [ebp+122D2DFCh] 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F6EC8E0B1F8h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d sub di, DF67h 0x00000052 jng 00007F6EC8E0B1FCh 0x00000058 mov edi, dword ptr [ebp+12463AF1h] 0x0000005e push 00000000h 0x00000060 mov edi, 22EB9086h 0x00000065 xchg eax, ebx 0x00000066 jne 00007F6EC8E0B1FEh 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jo 00007F6EC8E0B1F8h 0x00000075 push ecx 0x00000076 pop ecx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2F6E6 second address: F2F6EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F31D02 second address: F31D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F33E55 second address: F33E63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F33E63 second address: F33E68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F31A42 second address: F31A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F33038 second address: F3303D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F33E68 second address: F33EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F6EC9226D88h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F6EC9226D88h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov di, F3C2h 0x00000044 jmp 00007F6EC9226D94h 0x00000049 mov esi, edi 0x0000004b push 00000000h 0x0000004d mov edi, dword ptr [ebp+122D2C8Dh] 0x00000053 xchg eax, ebx 0x00000054 js 00007F6EC9226D8Ah 0x0000005a push eax 0x0000005b push esi 0x0000005c pop esi 0x0000005d pop eax 0x0000005e push eax 0x0000005f push edi 0x00000060 push eax 0x00000061 push edx 0x00000062 jne 00007F6EC9226D86h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3303D second address: F33043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F36461 second address: F36467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F36ACF second address: F36AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F37C42 second address: F37C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D8Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F37C53 second address: F37CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F6EC8E0B1F8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jbe 00007F6EC8E0B1FBh 0x0000002c xor di, E55Ah 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122DB9DDh], eax 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c or edi, dword ptr [ebp+122D27D6h] 0x00000042 pop edi 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F37CA6 second address: F37CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F38D5A second address: F38DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F6EC8E0B1FEh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F6EC8E0B1F8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D1C50h] 0x00000031 push 00000000h 0x00000033 jmp 00007F6EC8E0B1FCh 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a jmp 00007F6EC8E0B203h 0x0000003f pop eax 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F6EC8E0B201h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F37E9B second address: F37EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3AD93 second address: F3AD9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3AF19 second address: F3AF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3BDF2 second address: F3BE18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F6EC8E0B1F8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3AF1D second address: F3AF22 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3CBC6 second address: F3CBCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3BE18 second address: F3BE1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3DBF4 second address: F3DBFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3FAD0 second address: F3FAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F42A0D second address: F42A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F42A15 second address: F42A1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F42A1B second address: F42A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3FBE3 second address: F3FC03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F40CE8 second address: F40CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3FCE4 second address: F3FCE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F44262 second address: F44266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3FCE8 second address: F3FCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F44EE2 second address: F44EE7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F44266 second address: F44280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F3FCEE second address: F3FCF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6EC8E0B1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45F6E second address: F45F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45F72 second address: F45F76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45043 second address: F45051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45051 second address: F45055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45125 second address: F45129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F45129 second address: F4512F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F4512F second address: F45134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F47130 second address: F47134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F47134 second address: F4713A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F4713A second address: F4713F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F47231 second address: F4723B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6EC9226D8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F4ECF4 second address: F4ECF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F4ECF8 second address: F4ED00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F527CC second address: F527D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F6EC8E0B1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F527D6 second address: F527DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F527DA second address: F527E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F527E7 second address: F52823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jng 00007F6EC9226D88h 0x00000013 push esi 0x00000014 pop esi 0x00000015 jno 00007F6EC9226D88h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f jmp 00007F6EC9226D91h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52823 second address: F52831 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52831 second address: F52835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52835 second address: F52839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52973 second address: F52988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52A47 second address: F52A51 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6EC8E0B1FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F52A51 second address: D6EE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 679571D8h 0x0000000d clc 0x0000000e push dword ptr [ebp+122D0BBDh] 0x00000014 clc 0x00000015 call dword ptr [ebp+122D2C63h] 0x0000001b pushad 0x0000001c jp 00007F6EC9226D8Dh 0x00000022 xor eax, eax 0x00000024 pushad 0x00000025 sub dword ptr [ebp+122D1E5Ah], ecx 0x0000002b popad 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 pushad 0x00000031 movsx edx, si 0x00000034 mov dword ptr [ebp+122D1E48h], edi 0x0000003a popad 0x0000003b mov dword ptr [ebp+122D3A70h], eax 0x00000041 jg 00007F6EC9226D8Ch 0x00000047 sub dword ptr [ebp+122D30F9h], esi 0x0000004d mov esi, 0000003Ch 0x00000052 mov dword ptr [ebp+122D1E5Ah], eax 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c xor dword ptr [ebp+122D2FA3h], edx 0x00000062 lodsw 0x00000064 mov dword ptr [ebp+122D2FA3h], eax 0x0000006a mov dword ptr [ebp+122D1E48h], edx 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 pushad 0x00000075 mov si, 6005h 0x00000079 mov dh, FDh 0x0000007b popad 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 jbe 00007F6EC9226D87h 0x00000086 clc 0x00000087 nop 0x00000088 jne 00007F6EC9226D92h 0x0000008e push eax 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007F6EC9226D8Ch 0x00000096 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F58C0F second address: F58C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007F6EC8E0B1FEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F58EB2 second address: F58ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D96h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDC7 second address: F5DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDCD second address: F5DDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDD3 second address: F5DDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDDF second address: F5DDF3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6EC9226D86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F6EC9226D86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDF3 second address: F5DDF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F5DDF7 second address: F5DE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D8Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F6EC9226D88h 0x00000011 push edi 0x00000012 pop edi 0x00000013 ja 00007F6EC9226D8Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F14E1D second address: F14E31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC8E0B200h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F650BA second address: F650BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F650BF second address: F650C9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6EC8E0B1FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EF35B3 second address: EF35B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F682A0 second address: F682B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007F6EC8E0B1F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F6EC8E0B20Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C034 second address: F2C03A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C0E1 second address: F2C17C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a mov edi, edx 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a movzx edi, di 0x0000001d clc 0x0000001e mov dword ptr [ebp+12490D66h], esp 0x00000024 jc 00007F6EC8E0B1F6h 0x0000002a cmp dword ptr [ebp+122D3BBCh], 00000000h 0x00000031 jne 00007F6EC8E0B30Eh 0x00000037 call 00007F6EC8E0B200h 0x0000003c jno 00007F6EC8E0B1FCh 0x00000042 pop ecx 0x00000043 mov byte ptr [ebp+122D2C58h], 00000047h 0x0000004a push esi 0x0000004b stc 0x0000004c pop edi 0x0000004d mov eax, D49AA7D2h 0x00000052 and edx, dword ptr [ebp+122D3CB4h] 0x00000058 push eax 0x00000059 pushad 0x0000005a jns 00007F6EC8E0B1FCh 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F6EC8E0B208h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C426 second address: F2C42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C42A second address: D6EE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F6EC8E0B1FAh 0x0000000c nop 0x0000000d mov cx, AEC8h 0x00000011 push dword ptr [ebp+122D0BBDh] 0x00000017 mov dword ptr [ebp+122D2EE3h], eax 0x0000001d call dword ptr [ebp+122D2C63h] 0x00000023 pushad 0x00000024 jp 00007F6EC8E0B1FDh 0x0000002a je 00007F6EC8E0B1F7h 0x00000030 stc 0x00000031 xor eax, eax 0x00000033 pushad 0x00000034 sub dword ptr [ebp+122D1E5Ah], ecx 0x0000003a popad 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 movsx edx, si 0x00000043 mov dword ptr [ebp+122D1E48h], edi 0x00000049 popad 0x0000004a mov dword ptr [ebp+122D3A70h], eax 0x00000050 jg 00007F6EC8E0B1FCh 0x00000056 mov esi, 0000003Ch 0x0000005b mov dword ptr [ebp+122D1E5Ah], eax 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 xor dword ptr [ebp+122D2FA3h], edx 0x0000006b lodsw 0x0000006d mov dword ptr [ebp+122D2FA3h], eax 0x00000073 mov dword ptr [ebp+122D1E48h], edx 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e mov si, 6005h 0x00000082 mov dh, FDh 0x00000084 popad 0x00000085 mov ebx, dword ptr [esp+24h] 0x00000089 jbe 00007F6EC8E0B1F7h 0x0000008f clc 0x00000090 nop 0x00000091 jne 00007F6EC8E0B202h 0x00000097 push eax 0x00000098 push eax 0x00000099 push edx 0x0000009a jmp 00007F6EC8E0B1FCh 0x0000009f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C612 second address: F2C617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C66A second address: F2C671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C6F0 second address: F2C711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007F6EC9226D96h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C711 second address: F2C73D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6EC8E0B1F8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d add edi, dword ptr [ebp+122D3A58h] 0x00000013 nop 0x00000014 pushad 0x00000015 jmp 00007F6EC8E0B203h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C73D second address: F2C741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2C741 second address: F2C74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CA4C second address: F2CAD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edi 0x00000009 ja 00007F6EC9226D8Ch 0x0000000f pop edi 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F6EC9226D88h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b call 00007F6EC9226D96h 0x00000030 mov dword ptr [ebp+122D2A16h], edi 0x00000036 pop ecx 0x00000037 movsx edi, di 0x0000003a push 00000004h 0x0000003c mov ecx, dword ptr [ebp+122D3B0Ch] 0x00000042 nop 0x00000043 jmp 00007F6EC9226D97h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F6EC9226D8Ah 0x00000050 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CDF6 second address: F2CE0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CE0C second address: F2CE9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F6EC9226D88h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F6EC9226D88h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dx, bx 0x0000002b jmp 00007F6EC9226D94h 0x00000030 push 0000001Eh 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F6EC9226D88h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov dx, 3C50h 0x00000050 nop 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F6EC9226D97h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CE9E second address: F2CEA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CEA4 second address: F2CEAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CEAA second address: F2CEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D226 second address: F2D22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D22A second address: F2D2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F6EC8E0B1FBh 0x0000000e jmp 00007F6EC8E0B203h 0x00000013 popad 0x00000014 nop 0x00000015 jmp 00007F6EC8E0B1FCh 0x0000001a lea eax, dword ptr [ebp+12490D52h] 0x00000020 add dword ptr [ebp+122D2DEBh], ecx 0x00000026 push eax 0x00000027 jnl 00007F6EC8E0B202h 0x0000002d mov dword ptr [esp], eax 0x00000030 adc dh, FFFFFF90h 0x00000033 lea eax, dword ptr [ebp+12490D0Eh] 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F6EC8E0B1F8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 mov ecx, dword ptr [ebp+122D3C58h] 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f pop edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2D2B6 second address: F14E1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F6EC9226D88h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 call dword ptr [ebp+122D2C5Dh] 0x0000002c push ecx 0x0000002d jns 00007F6EC9226D8Ch 0x00000033 pop ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6EC9226D94h 0x0000003b pushad 0x0000003c jnp 00007F6EC9226D86h 0x00000042 jne 00007F6EC9226D86h 0x00000048 jno 00007F6EC9226D86h 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F687C9 second address: F687CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F687CD second address: F687EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D93h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F687EB second address: F687F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F687F1 second address: F6881B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6EC9226D91h 0x0000000c popad 0x0000000d pushad 0x0000000e jc 00007F6EC9226D8Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F6881B second address: F68821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68821 second address: F68831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F6EC9226D86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68831 second address: F68835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F6898E second address: F68994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68994 second address: F689AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6EC8E0B1FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F6EC8E0B202h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68C68 second address: F68C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jmp 00007F6EC9226D8Fh 0x0000000b pop edx 0x0000000c jmp 00007F6EC9226D92h 0x00000011 jo 00007F6EC9226D8Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68C98 second address: F68CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F6EC8E0B1FBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68CAE second address: F68CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F6EC9226D8Ch 0x0000000b jns 00007F6EC9226D86h 0x00000011 ja 00007F6EC9226D8Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68DFB second address: F68E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F68E07 second address: F68E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F6EC9226D8Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EEE414 second address: EEE418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F702A9 second address: F702AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7043D second address: F70443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70443 second address: F70451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jns 00007F6EC9226D86h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70C9C second address: F70CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70CA0 second address: F70CA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70FB1 second address: F70FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70FB5 second address: F70FD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70FD2 second address: F70FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B201h 0x00000007 jnp 00007F6EC8E0B1F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F70FF2 second address: F71005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 jno 00007F6EC9226D88h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F71005 second address: F7100B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F737AE second address: F737B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F6EC9226D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F733BD second address: F733C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7666F second address: F76675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F75EF9 second address: F75F07 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F76381 second address: F76385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F76385 second address: F763A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6EC8E0B1F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F6EC8E0B201h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7CDF6 second address: F7CDFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7CDFB second address: F7CE03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7CE03 second address: F7CE0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7BE02 second address: F7BE0E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6EC8E0B1FEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F2CCE6 second address: F2CCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7BF82 second address: F7BF92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F6EC8E0B1F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7BF92 second address: F7BF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7BF98 second address: F7BF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7C0F2 second address: F7C0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F391 second address: F7F3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6EC8E0B209h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F3B2 second address: F7F3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F4FD second address: F7F522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B206h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F6EC8E0B1F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F522 second address: F7F526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F526 second address: F7F53F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B205h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F9DD second address: F7F9EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F6EC9226D86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F7F9EE second address: F7F9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F812F8 second address: F81303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6EC9226D86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F845B3 second address: F845B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F84820 second address: F84824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F84824 second address: F84864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6EC8E0B1FDh 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F6EC8E0B1FFh 0x0000001a pushad 0x0000001b jnc 00007F6EC8E0B1F6h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 jbe 00007F6EC8E0B1F6h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F8BD7D second address: F8BD81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F8C53D second address: F8C541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F8D344 second address: F8D348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F8D62B second address: F8D63D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jno 00007F6EC8E0B1F6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F91725 second address: F91747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F6EC9226D99h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9089C second address: F908A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F908A2 second address: F908B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F908B4 second address: F908B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F90C92 second address: F90C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F90C98 second address: F90C9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F90C9D second address: F90CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F90FD0 second address: F90FEC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6EC8E0B202h 0x00000008 jnl 00007F6EC8E0B1FEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F91180 second address: F91186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BBEE second address: F9BBF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BBF4 second address: F9BC04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F6EC9226D86h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BC04 second address: F9BC08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BD5C second address: F9BD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BD60 second address: F9BD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BD68 second address: F9BD7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F6EC9226D86h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F6EC9226D86h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F9BEC5 second address: F9BECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA4AC6 second address: FA4AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D95h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F6EC9226D86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA4AEE second address: FA4AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA4AF9 second address: FA4B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6EC9226D8Ah 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA4B0D second address: FA4B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 jg 00007F6EC8E0B1F6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6EC8E0B200h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA4B30 second address: FA4B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA44C4 second address: FA44CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA44CD second address: FA44D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FA44D1 second address: FA44FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6EC8E0B202h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB0545 second address: FB0549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FAFED6 second address: FAFF0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F6EC8E0B209h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FAFF0C second address: FAFF48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F6EC9226D98h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F6EC9226D86h 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FAFF48 second address: FAFF52 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6EC8E0B1F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB00A6 second address: FB00AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB228B second address: FB2293 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB2293 second address: FB2298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB2298 second address: FB229E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB229E second address: FB22AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB2452 second address: FB2458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FB2458 second address: FB246A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007F6EC9226D86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FBA82A second address: FBA82E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FC0500 second address: FC050A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6EC9226D86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FC050A second address: FC0517 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FC0517 second address: FC0536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D8Ch 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FC5C71 second address: FC5C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F6EC8E0B1F6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EE5BC0 second address: EE5BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EE5BC4 second address: EE5BE9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6EC8E0B208h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EE5BE9 second address: EE5C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC9226D98h 0x00000009 popad 0x0000000a jng 00007F6EC9226DA1h 0x00000010 jmp 00007F6EC9226D95h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD202A second address: FD2043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6EC8E0B202h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD0997 second address: FD099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD099C second address: FD09A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD12A9 second address: FD12BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6EC9226D86h 0x0000000a pop edi 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD1D37 second address: FD1D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD1D3D second address: FD1D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD1D41 second address: FD1D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6EC8E0B200h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD50BD second address: FD50DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jp 00007F6EC9226D86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: EEFFD9 second address: EEFFDE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD6AF3 second address: FD6B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F6EC9226D8Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F6EC9226D93h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD6B19 second address: FD6B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD9175 second address: FD917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD917B second address: FD918A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnp 00007F6EC8E0B1F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FD8FF6 second address: FD9005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F6EC9226D86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE801B second address: FE8023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE8023 second address: FE802E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE7E96 second address: FE7EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE7EA0 second address: FE7EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F6EC9226D8Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE7EAF second address: FE7EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F6EC8E0B1FEh 0x0000000a push eax 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE9639 second address: FE963D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE3EB4 second address: FE3ED7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B202h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F6EC8E0B1FAh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FE3ED7 second address: FE3EDC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FF72C2 second address: FF72C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: FF72C6 second address: FF72E1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6EC9226D86h 0x00000008 jnp 00007F6EC9226D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jnc 00007F6EC9226D86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 1010234 second address: 101023C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 101023C second address: 1010240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 1010240 second address: 1010246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 100F305 second address: 100F309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 100F5AB second address: 100F5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 100F5B1 second address: 100F5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 100F730 second address: 100F73A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6EC8E0B1F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 100F73A second address: 100F740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 101307A second address: 10130EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6EC8E0B1FFh 0x0000000b popad 0x0000000c push eax 0x0000000d jg 00007F6EC8E0B205h 0x00000013 jmp 00007F6EC8E0B1FFh 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F6EC8E0B1F8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 push dword ptr [ebp+1246AEA3h] 0x00000039 cmc 0x0000003a mov dword ptr [ebp+1246AE5Ah], eax 0x00000040 push 07308D00h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 jmp 00007F6EC8E0B201h 0x0000004d pop eax 0x0000004e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 10130EC second address: 10130F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 10142FA second address: 101431A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6EC8E0B1FBh 0x00000009 popad 0x0000000a jmp 00007F6EC8E0B200h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 101431A second address: 1014320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 1014320 second address: 101432A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6EC8E0B1F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 101432A second address: 1014333 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 1014333 second address: 1014339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 101775A second address: 1017768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6EC9226D86h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040D72 second address: 5040D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040D77 second address: 5040D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040D89 second address: 5040D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040D8D second address: 5040D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040D9C second address: 5040DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040DA0 second address: 5040DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040DA6 second address: 5040DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B200h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F6EC8E0B200h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F6EC8E0B200h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040DE6 second address: 5040DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040DEA second address: 5040DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040DEE second address: 5040DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5090128 second address: 509012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 509012C second address: 5090132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5090132 second address: 5090138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5090138 second address: 509013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50201C1 second address: 50201D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50201D6 second address: 502023B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 43306123h 0x00000010 mov eax, 1D9DEC7Fh 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F6EC9226D92h 0x0000001d push dword ptr [ebp+04h] 0x00000020 jmp 00007F6EC9226D90h 0x00000025 push dword ptr [ebp+0Ch] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6EC9226D97h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 502023B second address: 5020241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 502027F second address: 5020285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020285 second address: 502028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 502028B second address: 502028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040A99 second address: 5040AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC8E0B1FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040AAA second address: 5040B4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6EC9226D8Ch 0x00000013 adc esi, 41CA1188h 0x00000019 jmp 00007F6EC9226D8Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6EC9226D90h 0x00000029 jmp 00007F6EC9226D95h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F6EC9226D90h 0x00000035 sbb ah, 00000048h 0x00000038 jmp 00007F6EC9226D8Bh 0x0000003d popfd 0x0000003e popad 0x0000003f mov esi, 57B539BFh 0x00000044 popad 0x00000045 xchg eax, ebp 0x00000046 jmp 00007F6EC9226D92h 0x0000004b mov ebp, esp 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040B4F second address: 5040B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040B6C second address: 5040B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040B72 second address: 5040B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040B76 second address: 5040B7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040704 second address: 504070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504070A second address: 504075E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F6EC9226D94h 0x00000010 jmp 00007F6EC9226D95h 0x00000015 popfd 0x00000016 mov bx, si 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e movzx esi, di 0x00000021 mov edi, 5D588D48h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F6EC9226D8Ah 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040624 second address: 5040636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, AAA7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040636 second address: 504063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504063B second address: 5040659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040659 second address: 504065D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504065D second address: 5040663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040663 second address: 5040680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D99h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040680 second address: 5040684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040684 second address: 5040698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, 52DB0675h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040698 second address: 504069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040308 second address: 504030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504030C second address: 5040312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040312 second address: 5040318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040318 second address: 504031C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504031C second address: 5040359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F6EC9226D90h 0x0000000e push eax 0x0000000f jmp 00007F6EC9226D8Bh 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6EC9226D95h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040359 second address: 50403B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC8E0B207h 0x00000009 add ecx, 1548AC7Eh 0x0000000f jmp 00007F6EC8E0B209h 0x00000014 popfd 0x00000015 jmp 00007F6EC8E0B200h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6EC8E0B1FAh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50403B7 second address: 50403C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050220 second address: 5050224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050224 second address: 505022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505022A second address: 5050230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050230 second address: 5050234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5090013 second address: 509005A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F6EC8E0B207h 0x0000000b and eax, 11A0843Eh 0x00000011 jmp 00007F6EC8E0B209h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 509005A second address: 509005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 509005E second address: 5090064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5090064 second address: 509009A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6EC9226D98h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 509009A second address: 50900A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50900A9 second address: 50900D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cx, 9EC5h 0x00000010 popad 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6EC9226D97h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 506038D second address: 5060391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060391 second address: 5060397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060397 second address: 50603E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov esi, ebx 0x0000000e popad 0x0000000f mov ax, 77E7h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 mov bx, si 0x0000001a jmp 00007F6EC8E0B204h 0x0000001f popad 0x00000020 mov eax, dword ptr [ebp+08h] 0x00000023 jmp 00007F6EC8E0B200h 0x00000028 and dword ptr [eax], 00000000h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 mov cx, bx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50603E5 second address: 50603EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50603EB second address: 50603EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50603EF second address: 5060453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c pushad 0x0000000d jmp 00007F6EC9226D98h 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F6EC9226D90h 0x00000019 xor ax, 5F38h 0x0000001e jmp 00007F6EC9226D8Bh 0x00000023 popfd 0x00000024 movzx eax, di 0x00000027 popad 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d call 00007F6EC9226D8Ch 0x00000032 pop eax 0x00000033 mov edi, 3FD9C5D6h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060453 second address: 5060459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060459 second address: 506045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50404F6 second address: 5040505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040505 second address: 504050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504050B second address: 5040543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6EC8E0B205h 0x00000012 xor ah, 00000076h 0x00000015 jmp 00007F6EC8E0B201h 0x0000001a popfd 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040543 second address: 50405C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6EC9226D8Ch 0x00000013 add ecx, 5EC110C8h 0x00000019 jmp 00007F6EC9226D8Bh 0x0000001e popfd 0x0000001f mov esi, 1C9E363Fh 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F6EC9226D97h 0x00000030 adc ecx, 33E5E7BEh 0x00000036 jmp 00007F6EC9226D99h 0x0000003b popfd 0x0000003c mov bx, ax 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50405C2 second address: 50405E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6EC8E0B1FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050E81 second address: 5050EB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, 9743h 0x0000000f pushad 0x00000010 mov bl, cl 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F6EC9226D8Ch 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 mov dh, C3h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050EB9 second address: 5050EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050EBF second address: 5050EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050EC3 second address: 5050EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 506011D second address: 5060122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060122 second address: 506014B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007F6EC8E0B209h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 506014B second address: 506017C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC9226D90h 0x00000009 and cx, 0948h 0x0000000e jmp 00007F6EC9226D8Bh 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 506017C second address: 5060180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060180 second address: 5060184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5060184 second address: 506018A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 506018A second address: 50601C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6EC9226D8Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, C620h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50601C0 second address: 50601C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50601C6 second address: 50601CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080788 second address: 50807AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 89B9h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e jmp 00007F6EC8E0B202h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50807AC second address: 50807B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50807B0 second address: 5080839 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6EC8E0B1FEh 0x00000008 or cl, FFFFFFF8h 0x0000000b jmp 00007F6EC8E0B1FBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 jmp 00007F6EC8E0B206h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F6EC8E0B1FCh 0x00000024 sbb esi, 075A0288h 0x0000002a jmp 00007F6EC8E0B1FBh 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F6EC8E0B208h 0x00000036 xor ecx, 6D2964E8h 0x0000003c jmp 00007F6EC8E0B1FBh 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080839 second address: 5080859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6EC9226D93h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080859 second address: 50808A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FB65FCh] 0x0000000e jmp 00007F6EC8E0B1FEh 0x00000013 test eax, eax 0x00000015 pushad 0x00000016 mov eax, 7F14766Dh 0x0000001b mov bx, cx 0x0000001e popad 0x0000001f je 00007F6F3ACBE2C7h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808A1 second address: 50808A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808A5 second address: 50808A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808A9 second address: 50808AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808AF second address: 50808B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808B4 second address: 50808F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ecx, eax 0x00000009 jmp 00007F6EC9226D8Eh 0x0000000e xor eax, dword ptr [ebp+08h] 0x00000011 jmp 00007F6EC9226D91h 0x00000016 and ecx, 1Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6EC9226D8Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50808F1 second address: 5080901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC8E0B1FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080901 second address: 5080905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080905 second address: 508098B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a jmp 00007F6EC8E0B207h 0x0000000f leave 0x00000010 pushad 0x00000011 call 00007F6EC8E0B204h 0x00000016 pop edi 0x00000017 call 00007F6EC8E0B1FEh 0x0000001c mov ch, FEh 0x0000001e pop edi 0x0000001f popad 0x00000020 retn 0004h 0x00000023 nop 0x00000024 mov esi, eax 0x00000026 lea eax, dword ptr [ebp-08h] 0x00000029 xor esi, dword ptr [00D62014h] 0x0000002f push eax 0x00000030 push eax 0x00000031 push eax 0x00000032 lea eax, dword ptr [ebp-10h] 0x00000035 push eax 0x00000036 call 00007F6ECD16BA88h 0x0000003b push FFFFFFFEh 0x0000003d jmp 00007F6EC8E0B1FAh 0x00000042 pop eax 0x00000043 pushad 0x00000044 push eax 0x00000045 mov dx, 1C00h 0x00000049 pop edi 0x0000004a mov edi, ecx 0x0000004c popad 0x0000004d ret 0x0000004e nop 0x0000004f push eax 0x00000050 call 00007F6ECD16BA99h 0x00000055 mov edi, edi 0x00000057 jmp 00007F6EC8E0B200h 0x0000005c xchg eax, ebp 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F6EC8E0B1FAh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 508098B second address: 508099A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 508099A second address: 50809E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6EC8E0B1FFh 0x00000008 pushfd 0x00000009 jmp 00007F6EC8E0B208h 0x0000000e and esi, 771FFF08h 0x00000014 jmp 00007F6EC8E0B1FBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ax, 0A11h 0x00000025 movzx esi, dx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50809E6 second address: 5080A1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6EC9226D90h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080A1B second address: 5080A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5080A38 second address: 5080A52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 503000D second address: 503001F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC8E0B1FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 503001F second address: 503003D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6EC9226D93h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 503003D second address: 50300FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC8E0B1FFh 0x00000009 adc eax, 7EB42E8Eh 0x0000000f jmp 00007F6EC8E0B209h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F6EC8E0B200h 0x0000001b sub ecx, 07EE9908h 0x00000021 jmp 00007F6EC8E0B1FBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov dword ptr [esp], ebp 0x0000002d pushad 0x0000002e pushad 0x0000002f movzx ecx, bx 0x00000032 call 00007F6EC8E0B207h 0x00000037 pop esi 0x00000038 popad 0x00000039 popad 0x0000003a mov ebp, esp 0x0000003c pushad 0x0000003d mov ax, 5957h 0x00000041 mov cl, 33h 0x00000043 popad 0x00000044 and esp, FFFFFFF8h 0x00000047 pushad 0x00000048 mov di, 8DC8h 0x0000004c call 00007F6EC8E0B201h 0x00000051 jmp 00007F6EC8E0B200h 0x00000056 pop ecx 0x00000057 popad 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F6EC8E0B1FDh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50300FD second address: 503010D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 503010D second address: 5030138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6EC8E0B205h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030138 second address: 5030227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC9226D97h 0x00000009 jmp 00007F6EC9226D93h 0x0000000e popfd 0x0000000f movzx ecx, dx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esp 0x00000016 pushad 0x00000017 mov esi, 75CB6D8Dh 0x0000001c mov ah, 55h 0x0000001e popad 0x0000001f mov dword ptr [esp], ebx 0x00000022 jmp 00007F6EC9226D95h 0x00000027 mov ebx, dword ptr [ebp+10h] 0x0000002a pushad 0x0000002b call 00007F6EC9226D8Ch 0x00000030 pushfd 0x00000031 jmp 00007F6EC9226D92h 0x00000036 adc ah, 00000038h 0x00000039 jmp 00007F6EC9226D8Bh 0x0000003e popfd 0x0000003f pop eax 0x00000040 call 00007F6EC9226D99h 0x00000045 pushfd 0x00000046 jmp 00007F6EC9226D90h 0x0000004b xor cx, E0C8h 0x00000050 jmp 00007F6EC9226D8Bh 0x00000055 popfd 0x00000056 pop eax 0x00000057 popad 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F6EC9226D91h 0x00000062 jmp 00007F6EC9226D8Bh 0x00000067 popfd 0x00000068 mov ecx, 3B12D01Fh 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030227 second address: 5030273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e jmp 00007F6EC8E0B208h 0x00000013 mov esi, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007F6EC8E0B1FDh 0x0000001e pop ecx 0x0000001f jmp 00007F6EC8E0B201h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030273 second address: 5030366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ebx, ecx 0x0000000e pushfd 0x0000000f jmp 00007F6EC9226D96h 0x00000014 sbb ax, 4CA8h 0x00000019 jmp 00007F6EC9226D8Bh 0x0000001e popfd 0x0000001f popad 0x00000020 jmp 00007F6EC9226D98h 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F6EC9226D8Bh 0x0000002c xchg eax, edi 0x0000002d jmp 00007F6EC9226D96h 0x00000032 test esi, esi 0x00000034 jmp 00007F6EC9226D90h 0x00000039 je 00007F6F3B125097h 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F6EC9226D8Dh 0x00000046 and ecx, 533AA386h 0x0000004c jmp 00007F6EC9226D91h 0x00000051 popfd 0x00000052 popad 0x00000053 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005a pushad 0x0000005b pushfd 0x0000005c jmp 00007F6EC9226D8Ch 0x00000061 xor ax, 3628h 0x00000066 jmp 00007F6EC9226D8Bh 0x0000006b popfd 0x0000006c mov bh, cl 0x0000006e popad 0x0000006f je 00007F6F3B125056h 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 push ebx 0x00000079 pop eax 0x0000007a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030366 second address: 5030380 instructions: 0x00000000 rdtsc 0x00000002 mov dh, B7h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6EC8E0B202h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030380 second address: 50303D1 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c pushad 0x0000000d mov ah, 7Fh 0x0000000f jmp 00007F6EC9226D95h 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F6EC9226D90h 0x0000001b sbb si, 5D48h 0x00000020 jmp 00007F6EC9226D8Bh 0x00000025 popfd 0x00000026 popad 0x00000027 or edx, dword ptr [ebp+0Ch] 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50303D1 second address: 50303D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50303D7 second address: 5030446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC9226D98h 0x00000009 xor ax, C2D8h 0x0000000e jmp 00007F6EC9226D8Bh 0x00000013 popfd 0x00000014 call 00007F6EC9226D98h 0x00000019 pop eax 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test edx, 61000000h 0x00000023 pushad 0x00000024 mov bx, 8002h 0x00000028 mov ch, bh 0x0000002a popad 0x0000002b jne 00007F6F3B124FE0h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 call 00007F6EC9226D8Eh 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030446 second address: 503049A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6EC8E0B1FBh 0x00000008 adc ax, 57AEh 0x0000000d jmp 00007F6EC8E0B209h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov eax, 31D29C37h 0x0000001a popad 0x0000001b test byte ptr [esi+48h], 00000001h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6EC8E0B209h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 503049A second address: 50304EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6EC9226D97h 0x00000008 pop eax 0x00000009 mov dh, A9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F6F3B124F6Dh 0x00000014 pushad 0x00000015 jmp 00007F6EC9226D8Eh 0x0000001a call 00007F6EC9226D92h 0x0000001f mov di, si 0x00000022 pop ecx 0x00000023 popad 0x00000024 test bl, 00000007h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 502094C second address: 5020952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020952 second address: 50209B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 79h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c pushad 0x0000000d jmp 00007F6EC9226D99h 0x00000012 push eax 0x00000013 push edx 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 popad 0x00000017 je 00007F6F3B12C797h 0x0000001d pushad 0x0000001e mov al, 53h 0x00000020 mov ax, dx 0x00000023 popad 0x00000024 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002b pushad 0x0000002c push eax 0x0000002d movsx edi, si 0x00000030 pop eax 0x00000031 popad 0x00000032 mov ecx, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6EC9226D96h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50209B2 second address: 5020A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC8E0B201h 0x00000009 adc ah, 00000056h 0x0000000c jmp 00007F6EC8E0B201h 0x00000011 popfd 0x00000012 push esi 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F6F3AD10BB8h 0x0000001d pushad 0x0000001e mov esi, 5327D1BFh 0x00000023 mov dl, al 0x00000025 popad 0x00000026 test byte ptr [76FB6968h], 00000002h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov cx, A8AFh 0x00000034 mov cx, 20CBh 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020A03 second address: 5020A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, D7F2h 0x00000007 mov dh, 81h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F6F3B12C72Dh 0x00000012 pushad 0x00000013 mov cx, DF97h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F6EC9226D8Ah 0x0000001f sbb cx, F308h 0x00000024 jmp 00007F6EC9226D8Bh 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020A38 second address: 5020A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edx, dword ptr [ebp+0Ch] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020A48 second address: 5020A8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6EC9226D8Ch 0x00000011 add esi, 55E5E7C8h 0x00000017 jmp 00007F6EC9226D8Bh 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f mov esi, 31CBD755h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020A8D second address: 5020AEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F6EC8E0B1FDh 0x0000000f or eax, 4DF830E6h 0x00000015 jmp 00007F6EC8E0B201h 0x0000001a popfd 0x0000001b call 00007F6EC8E0B200h 0x00000020 mov bl, cl 0x00000022 pop ebx 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F6EC8E0B1FAh 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F6EC8E0B1FAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020AEA second address: 5020AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020AEE second address: 5020AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020AF4 second address: 5020AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020AFA second address: 5020B2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B208h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6EC8E0B1FCh 0x00000014 mov edx, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020B2B second address: 5020B77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov bx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e call 00007F6EC9226D8Eh 0x00000013 mov bx, si 0x00000016 pop ecx 0x00000017 mov dl, 1Ch 0x00000019 popad 0x0000001a push dword ptr [ebp+14h] 0x0000001d pushad 0x0000001e mov esi, 05CE9FABh 0x00000023 mov ax, 8B87h 0x00000027 popad 0x00000028 push dword ptr [ebp+10h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F6EC9226D94h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5020B77 second address: 5020B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030D02 second address: 5030D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030D08 second address: 5030D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6EC8E0B202h 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop ecx 0x00000014 movsx edi, ax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030D2D second address: 5030D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC9226D8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030D3B second address: 5030DC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f mov eax, 4DD053CBh 0x00000014 pushfd 0x00000015 jmp 00007F6EC8E0B200h 0x0000001a sub eax, 11225AD8h 0x00000020 jmp 00007F6EC8E0B1FBh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F6EC8E0B204h 0x00000030 sub ax, 2538h 0x00000035 jmp 00007F6EC8E0B1FBh 0x0000003a popfd 0x0000003b jmp 00007F6EC8E0B208h 0x00000040 popad 0x00000041 pop ebp 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030DC2 second address: 5030DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030DC6 second address: 5030DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030DCC second address: 5030DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030DD2 second address: 5030DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030B04 second address: 5030B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030B0A second address: 5030B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6EC8E0B1FEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6EC8E0B1FAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5030B30 second address: 5030B3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50B0730 second address: 50B0736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A08D2 second address: 50A08E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A08E1 second address: 50A091E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6EC8E0B1FEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6EC8E0B1FEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A07A3 second address: 50A07BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6EC9226D8Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A07BC second address: 50A07C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A07C2 second address: 50A07C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A07C6 second address: 50A07CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A07CA second address: 50A0808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F6EC9226D8Fh 0x00000014 sbb eax, 0A0624FEh 0x0000001a jmp 00007F6EC9226D99h 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040008 second address: 504000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 504000C second address: 5040022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5040022 second address: 504009D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edi, 221E2C52h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e jmp 00007F6EC8E0B206h 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F6EC8E0B1FEh 0x0000001d sbb ch, FFFFFF98h 0x00000020 jmp 00007F6EC8E0B1FBh 0x00000025 popfd 0x00000026 pushad 0x00000027 mov esi, 5A66F3E5h 0x0000002c jmp 00007F6EC8E0B202h 0x00000031 popad 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F6EC8E0B207h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B15 second address: 50A0B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B1A second address: 50A0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6EC8E0B1FBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B45 second address: 50A0B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B62 second address: 50A0B7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6EC8E0B207h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B7F second address: 50A0B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6EC9226D90h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50A0B99 second address: 50A0BF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC8E0B201h 0x00000009 add cl, 00000036h 0x0000000c jmp 00007F6EC8E0B201h 0x00000011 popfd 0x00000012 mov bl, cl 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007F6EC8E0B202h 0x00000024 adc eax, 50E31688h 0x0000002a jmp 00007F6EC8E0B1FBh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: F301E7 second address: F301ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50504B9 second address: 505050B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F6EC8E0B202h 0x0000000f sbb cx, 8DA8h 0x00000014 jmp 00007F6EC8E0B1FBh 0x00000019 popfd 0x0000001a jmp 00007F6EC8E0B208h 0x0000001f popad 0x00000020 mov dword ptr [esp], ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ch, dh 0x00000028 mov di, ax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505050B second address: 5050510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050510 second address: 50505D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6EC8E0B207h 0x0000000a xor ecx, 494310FEh 0x00000010 jmp 00007F6EC8E0B209h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b jmp 00007F6EC8E0B1FEh 0x00000020 push FFFFFFFEh 0x00000022 jmp 00007F6EC8E0B200h 0x00000027 push F8AB5ECDh 0x0000002c jmp 00007F6EC8E0B201h 0x00000031 add dword ptr [esp], 7E4E614Bh 0x00000038 jmp 00007F6EC8E0B1FEh 0x0000003d push 19324CD5h 0x00000042 jmp 00007F6EC8E0B201h 0x00000047 add dword ptr [esp], 5DBE612Bh 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 pushad 0x00000052 popad 0x00000053 call 00007F6EC8E0B209h 0x00000058 pop esi 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50505D9 second address: 50505DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50505DF second address: 50505E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50505E3 second address: 505064D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000000h] 0x00000011 pushad 0x00000012 call 00007F6EC9226D8Ah 0x00000017 mov ax, 87C1h 0x0000001b pop eax 0x0000001c popad 0x0000001d push esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F6EC9226D8Fh 0x00000027 adc si, 15EEh 0x0000002c jmp 00007F6EC9226D99h 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505064D second address: 5050652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050652 second address: 5050687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6EC9226D95h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050687 second address: 5050697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6EC8E0B1FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050697 second address: 50506C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub esp, 1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6EC9226D95h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50506C2 second address: 505074E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F6EC8E0B202h 0x0000000f mov dword ptr [esp], ebx 0x00000012 pushad 0x00000013 call 00007F6EC8E0B1FEh 0x00000018 pushfd 0x00000019 jmp 00007F6EC8E0B202h 0x0000001e add ax, 5218h 0x00000023 jmp 00007F6EC8E0B1FBh 0x00000028 popfd 0x00000029 pop ecx 0x0000002a pushfd 0x0000002b jmp 00007F6EC8E0B209h 0x00000030 xor ecx, 21BF93B6h 0x00000036 jmp 00007F6EC8E0B201h 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505074E second address: 5050754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050754 second address: 5050759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050759 second address: 505075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505075F second address: 505077B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ecx, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505077B second address: 505077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505077F second address: 50507C2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6EC8E0B209h 0x00000008 jmp 00007F6EC8E0B1FBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6EC8E0B205h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50507C2 second address: 50507F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F6EC9226D8Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6EC9226D8Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50507F7 second address: 50507FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 50507FD second address: 505089D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007F6EC9226D8Eh 0x00000011 mov eax, dword ptr [76FBB370h] 0x00000016 jmp 00007F6EC9226D90h 0x0000001b xor dword ptr [ebp-08h], eax 0x0000001e jmp 00007F6EC9226D90h 0x00000023 xor eax, ebp 0x00000025 jmp 00007F6EC9226D91h 0x0000002a nop 0x0000002b pushad 0x0000002c movzx esi, bx 0x0000002f movsx ebx, cx 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 mov ecx, edx 0x00000037 pushfd 0x00000038 jmp 00007F6EC9226D8Dh 0x0000003d add si, E166h 0x00000042 jmp 00007F6EC9226D91h 0x00000047 popfd 0x00000048 popad 0x00000049 nop 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F6EC9226D8Dh 0x00000051 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505089D second address: 505092B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F6EC8E0B1FEh 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F6EC8E0B1FEh 0x0000001e xor ah, FFFFFF98h 0x00000021 jmp 00007F6EC8E0B1FBh 0x00000026 popfd 0x00000027 pushad 0x00000028 mov ecx, 635418E5h 0x0000002d pushfd 0x0000002e jmp 00007F6EC8E0B202h 0x00000033 sbb ax, 58F8h 0x00000038 jmp 00007F6EC8E0B1FBh 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 mov esi, dword ptr [ebp+08h] 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F6EC8E0B200h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505092B second address: 5050931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050A6F second address: 50504B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B201h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6F3AC7A3EDh 0x0000000e jne 00007F6EC8E0B219h 0x00000010 xor ecx, ecx 0x00000012 mov dword ptr [esi], ecx 0x00000014 mov dword ptr [esi+04h], ecx 0x00000017 mov dword ptr [esi+08h], ecx 0x0000001a mov dword ptr [esi+0Ch], ecx 0x0000001d mov dword ptr [esi+10h], ecx 0x00000020 mov dword ptr [esi+14h], ecx 0x00000023 mov ecx, dword ptr [ebp-10h] 0x00000026 mov dword ptr fs:[00000000h], ecx 0x0000002d pop ecx 0x0000002e pop edi 0x0000002f pop esi 0x00000030 pop ebx 0x00000031 mov esp, ebp 0x00000033 pop ebp 0x00000034 retn 0004h 0x00000037 nop 0x00000038 pop ebp 0x00000039 ret 0x0000003a add esi, 18h 0x0000003d pop ecx 0x0000003e cmp esi, 00D656A8h 0x00000044 jne 00007F6EC8E0B1E0h 0x00000046 push esi 0x00000047 call 00007F6EC8E0BA63h 0x0000004c push ebp 0x0000004d mov ebp, esp 0x0000004f push dword ptr [ebp+08h] 0x00000052 call 00007F6ECD13E6E9h 0x00000057 mov edi, edi 0x00000059 pushad 0x0000005a mov bl, al 0x0000005c push eax 0x0000005d push edx 0x0000005e mov cx, dx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050041 second address: 505006A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6EC9226D8Fh 0x00000009 jmp 00007F6EC9226D93h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505006A second address: 505008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F6EC8E0B204h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505008D second address: 5050091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050091 second address: 5050095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050095 second address: 505009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 505009B second address: 5050115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6EC8E0B206h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov cl, E1h 0x00000014 call 00007F6EC8E0B203h 0x00000019 call 00007F6EC8E0B208h 0x0000001e pop eax 0x0000001f pop edx 0x00000020 popad 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6EC8E0B208h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050115 second address: 5050119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5uVReRlvME.exe	RDTSC instruction interceptor: First address: 5050119 second address: 505011F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEC98C second address: BEC9B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6EC9226D8Eh 0x0000000f jo 00007F6EC9226D86h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEC9B2 second address: BEC9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEBE3B second address: BEBE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6EC9226D86h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE415 second address: BEE47D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov cx, D738h 0x0000000c push 00000000h 0x0000000e sbb dx, 60FFh 0x00000013 push FCD4E55Ch 0x00000018 jno 00007F6EC8E0B202h 0x0000001e add dword ptr [esp], 032B1B24h 0x00000025 jnl 00007F6EC8E0B1FCh 0x0000002b push 00000003h 0x0000002d jmp 00007F6EC8E0B1FAh 0x00000032 push 00000000h 0x00000034 mov ecx, dword ptr [ebp+122D3C38h] 0x0000003a push 00000003h 0x0000003c add ecx, dword ptr [ebp+122D2F2Bh] 0x00000042 push 7D9074DAh 0x00000047 je 00007F6EC8E0B215h 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE47D second address: BEE481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE481 second address: BEE4D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B203h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 426F8B26h 0x00000010 mov edx, 0D8EF071h 0x00000015 lea ebx, dword ptr [ebp+124632D3h] 0x0000001b mov dword ptr [ebp+122D2D5Fh], eax 0x00000021 xchg eax, ebx 0x00000022 push esi 0x00000023 push esi 0x00000024 jmp 00007F6EC8E0B200h 0x00000029 pop esi 0x0000002a pop esi 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jg 00007F6EC8E0B1F6h 0x00000035 jns 00007F6EC8E0B1F6h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE556 second address: BEE55A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE55A second address: BEE5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F6EC8E0B1F8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D27AAh], esi 0x0000002a or esi, dword ptr [ebp+122D3C14h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F6EC8E0B1F8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c push 45B93F24h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F6EC8E0B1FAh 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE5CB second address: BEE5D5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6EC9226D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE5D5 second address: BEE647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 45B93FA4h 0x00000011 clc 0x00000012 cld 0x00000013 push 00000003h 0x00000015 pushad 0x00000016 call 00007F6EC8E0B1FDh 0x0000001b sbb ah, FFFFFFA3h 0x0000001e pop edx 0x0000001f movsx edi, si 0x00000022 popad 0x00000023 push 00000000h 0x00000025 stc 0x00000026 push 00000003h 0x00000028 push 5F5C1B74h 0x0000002d jmp 00007F6EC8E0B202h 0x00000032 add dword ptr [esp], 60A3E48Ch 0x00000039 pushad 0x0000003a push edx 0x0000003b sbb dx, 8D73h 0x00000040 pop edx 0x00000041 mov eax, 347BFCA7h 0x00000046 popad 0x00000047 mov dx, B612h 0x0000004b lea ebx, dword ptr [ebp+124632DCh] 0x00000051 mov edx, dword ptr [ebp+122D3D04h] 0x00000057 xchg eax, ebx 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE647 second address: BEE64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE64B second address: BEE658 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6EC8E0B1F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE6C8 second address: BEE721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC9226D8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F6EC9226D88h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2C88h], edi 0x0000002c stc 0x0000002d push 00000000h 0x0000002f call 00007F6EC9226D89h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F6EC9226D8Ah 0x0000003b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE721 second address: BEE728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE728 second address: BEE83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007F6EC9226DAAh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F6EC9226D93h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jno 00007F6EC9226D8Ah 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jnl 00007F6EC9226D9Ah 0x00000029 pop eax 0x0000002a mov di, E9B5h 0x0000002e push 00000003h 0x00000030 movsx edi, si 0x00000033 pushad 0x00000034 call 00007F6EC9226D93h 0x00000039 jnp 00007F6EC9226D86h 0x0000003f pop esi 0x00000040 push edx 0x00000041 add eax, dword ptr [ebp+122D27AAh] 0x00000047 pop ebx 0x00000048 popad 0x00000049 push 00000000h 0x0000004b jmp 00007F6EC9226D90h 0x00000050 push 00000003h 0x00000052 jmp 00007F6EC9226D91h 0x00000057 push 9E71AD91h 0x0000005c push edi 0x0000005d js 00007F6EC9226D9Fh 0x00000063 pop edi 0x00000064 add dword ptr [esp], 218E526Fh 0x0000006b adc dx, 27BEh 0x00000070 lea ebx, dword ptr [ebp+124632E7h] 0x00000076 movsx edx, di 0x00000079 xchg eax, ebx 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007F6EC9226D93h 0x00000081 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: C0D7BA second address: C0D7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6EC8E0B1F6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: C0D7C4 second address: C0D7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEC98C second address: BEC9B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6EC8E0B1FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6EC8E0B1FEh 0x0000000f jo 00007F6EC8E0B1F6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEBE3B second address: BEBE47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6EC8E0B1F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: BEE40A second address: BEE415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	RDTSC instruction interceptor: First address: C0E0D9 second address: C0E0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Special instruction interceptor: First address: D6EE88 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Special instruction interceptor: First address: D6ED9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Special instruction interceptor: First address: D6C20E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Special instruction interceptor: First address: FAA54A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A5EE88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A5ED9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: A5C20E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: C9A54A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Special instruction interceptor: First address: 13CB784 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Special instruction interceptor: First address: 121F68E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Special instruction interceptor: First address: 13DBE4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Special instruction interceptor: First address: 122196C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Special instruction interceptor: First address: 145BFFD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Special instruction interceptor: First address: 81C992 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Special instruction interceptor: First address: 9D6955 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Special instruction interceptor: First address: 81C9B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Special instruction interceptor: First address: 9E1962 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Special instruction interceptor: First address: A727AB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Special instruction interceptor: First address: 8A613A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Special instruction interceptor: First address: A74A03 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Special instruction interceptor: First address: AD6E4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Special instruction interceptor: First address: 4DFAAC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Special instruction interceptor: First address: 4DD2EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Special instruction interceptor: First address: 6AD7EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Special instruction interceptor: First address: 71165E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Special instruction interceptor: First address: A3DE07 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Special instruction interceptor: First address: BE64A4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Special instruction interceptor: First address: A3DD44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Special instruction interceptor: First address: C7AA80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Special instruction interceptor: First address: A43CFB instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory allocated: 23063B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory allocated: 2307D400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Memory allocated: 12E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Memory allocated: 5250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Memory allocated: 4FB0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Code function: 0_2_050A0B7C rdtsc

0_2_050A0B7C

Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599863
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599744
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599420
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599163
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598411
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598137
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597714
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597607
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597490
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597351
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597130
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597014
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596669
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596441
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596326
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595738
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595351
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595233
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595118
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594998
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594736
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594498
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594380
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594265
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594153
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594022
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593796
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593687
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593577
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593465
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593357
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592531
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592405
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592278
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592168
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592016
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591843
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591703
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591562
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591437
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591310
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591161
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591030
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590891
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590762
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590639
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590526
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590414
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590234
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589857
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589553
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589344
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589172
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588953
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588734
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588563
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588375
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588252
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588094
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587964
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587825
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587695
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587547
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587078
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586766
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586625
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586508
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586405
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586297
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586187
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586063
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585922
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585797
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585685
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585578
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 702	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1021	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1046	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1093	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1170	Jump to behavior
Source: C:\ProgramData\idmans\idmans.exe	Window / User API: foregroundWindowGot 1729
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window / User API: threadDelayed 1241
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window / User API: threadDelayed 1232
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window / User API: threadDelayed 1250
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window / User API: threadDelayed 1234
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Window / User API: threadDelayed 1259
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Window / User API: threadDelayed 8708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1312

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dD03eDN3F3\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7824	Thread sleep count: 702 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7824	Thread sleep time: -1404702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7800	Thread sleep count: 844 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7800	Thread sleep time: -1688844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7784	Thread sleep count: 303 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7784	Thread sleep time: -9090000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7816	Thread sleep count: 1021 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7816	Thread sleep time: -2043021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796	Thread sleep count: 1046 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7796	Thread sleep time: -2093046s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7820	Thread sleep count: 1093 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7820	Thread sleep time: -2187093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7804	Thread sleep count: 1170 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7804	Thread sleep time: -2341170s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe TID: 8060	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe TID: 8736	Thread sleep time: -150000s >= -30000s
Source: C:\ProgramData\idmans\idmans.exe TID: 5744	Thread sleep count: 175 > 30
Source: C:\ProgramData\idmans\idmans.exe TID: 5744	Thread sleep time: -87500s >= -30000s
Source: C:\ProgramData\idmans\idmans.exe TID: 3624	Thread sleep count: 133 > 30
Source: C:\ProgramData\idmans\idmans.exe TID: 3624	Thread sleep time: -399000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 6212	Thread sleep count: 1241 > 30
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 6212	Thread sleep time: -2483241s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 4140	Thread sleep count: 1232 > 30
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 4140	Thread sleep time: -2465232s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 7444	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 4388	Thread sleep count: 1250 > 30
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 4388	Thread sleep time: -2501250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 1896	Thread sleep count: 1234 > 30
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 1896	Thread sleep time: -2469234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 6220	Thread sleep count: 1259 > 30
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe TID: 6220	Thread sleep time: -2519259s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe TID: 4632	Thread sleep time: -34965s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe TID: 3900	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 2080	Thread sleep count: 8708 > 30
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599863s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599744s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599420s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599311s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599163s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -598656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -598411s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -598137s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -598016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597714s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597607s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597490s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597249s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597130s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -597014s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596669s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596441s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596326s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -596156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -595738s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -595351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -595233s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -595118s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594998s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594736s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594380s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -594022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593796s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593577s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593465s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -593357s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -592531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -592405s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -592278s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -592168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -592016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591843s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591161s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -591030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590762s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590526s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590414s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -590234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -589857s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -589553s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -589344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -589172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588252s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -588094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -587964s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -587825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -587695s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -587547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -587078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586508s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586405s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -586063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -585922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -585797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -585685s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -585578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe TID: 6956	Thread sleep time: -585468s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2656	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe TID: 940	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe TID: 3844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe TID: 416	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 6744	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe TID: 6548	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe TID: 6548	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 5624	Thread sleep count: 107 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 5624	Thread sleep time: -214107s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 3660	Thread sleep count: 108 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 3660	Thread sleep time: -216108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 7940	Thread sleep time: -48000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6628	Thread sleep count: 88 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6628	Thread sleep time: -176088s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6516	Thread sleep count: 101 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6516	Thread sleep time: -202101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6568	Thread sleep count: 94 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6568	Thread sleep time: -188094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 7704	Thread sleep count: 101 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 7704	Thread sleep time: -202101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6648	Thread sleep count: 109 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6648	Thread sleep time: -218109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6588	Thread sleep count: 99 > 30
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe TID: 6588	Thread sleep time: -198099s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 4132	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 1208	Thread sleep time: -56028s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 5236	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 5236	Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 704	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 704	Thread sleep time: -78039s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 6012	Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 5664	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 5664	Thread sleep time: -62031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 4280	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 7164	Thread sleep time: -60030s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 1620	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 1620	Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 604	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 604	Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 1648	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe TID: 1648	Thread sleep time: -72036s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3244	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3116	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe TID: 8404	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\5uVReRlvME.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Code function: 7_2_007B0DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

7_2_007B0DA9

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599863
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599744
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599640
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599531
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599420
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599311
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599163
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598656
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598411
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598137
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597714
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597607
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597490
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597351
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597249
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597130
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 597014
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596890
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596781
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596669
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596562
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596441
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596326
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595738
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595351
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595233
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 595118
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594998
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594859
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594736
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594609
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594498
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594380
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594265
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594153
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 594022
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593906
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593796
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593687
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593577
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593465
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 593357
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592531
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592405
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592278
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592168
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 592016
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591843
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591703
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591562
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591437
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591310
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591161
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 591030
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590891
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590762
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590639
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590526
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590414
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 590234
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589857
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589553
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589344
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 589172
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588953
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588734
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588563
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588375
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588252
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 588094
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587964
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587825
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587695
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587547
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 587078
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586766
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586625
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586508
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586405
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586297
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586187
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 586063
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585922
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585797
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585685
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585578
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Thread delayed: delay time: 585468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: skotes.exe, skotes.exe, 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmp, a82132a0ca.exe, 0000000F.00000002.3045911301.00000000013AA000.00000040.00000001.01000000.0000000E.sdmp, ec6b49ebff.exe, 00000012.00000002.4356957290.00000000009B6000.00000040.00000001.01000000.0000000F.sdmp, c36de44bba.exe, 0000001F.00000002.3516047886.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp, 20da271f67.exe, 00000021.00000000.3590561721.0000000000666000.00000080.00000001.01000000.0000001B.sdmp, 20da271f67.exe, 00000021.00000002.4262386831.0000000000666000.00000040.00000001.01000000.0000001B.sdmp, c36de44bba.exe, 00000023.00000002.3740219285.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ac8336f967.exe, 0000000B.00000002.4262130097.000000000134C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3632510363.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: a762d7e2e8.exe, 00000009.00000002.2689238223.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606272422.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663803632.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689356196.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687113792.0000000000DDC000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2581349627.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4258418819.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4065326832.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000002.4262996018.0000000001386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000133000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: &VBoxService.exe
Source: a82132a0ca.exe, 0000000F.00000003.2957475409.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3148462732.0000000001D1E000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2943177444.0000000001D0E000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2943019896.0000000001D08000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000003.2942639762.0000000001D01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 72573a0b5a.exe, 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001C.00000002.3483990002.00000000059C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: TQIFFJWDXOOLJHSZWIJGHLFZSRRETBPLSYFHXWBHTJHGFSDRIKEBZBLHLJNORSKWY
Source: a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000133000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: VBoxService.exe
Source: ac8336f967.exe, 0000000B.00000003.4258418819.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4065326832.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000002.4262996018.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4175876589.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4236717019.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4175178439.0000000001386000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRk
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.000000000027D000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.000000000027D000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.0000000000133000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: VMWare
Source: soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: 72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWJ
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.000000000027D000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: 5uVReRlvME.exe, 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmp, a82132a0ca.exe, 0000000F.00000002.3045911301.00000000013AA000.00000040.00000001.01000000.0000000E.sdmp, ec6b49ebff.exe, 00000012.00000002.4356957290.00000000009B6000.00000040.00000001.01000000.0000000F.sdmp, c36de44bba.exe, 0000001F.00000002.3516047886.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp, 20da271f67.exe, 00000021.00000002.4262386831.0000000000666000.00000040.00000001.01000000.0000001B.sdmp, c36de44bba.exe, 00000023.00000002.3740219285.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW z_
Source: 20da271f67.exe, 00000021.00000000.3590561721.0000000000666000.00000080.00000001.01000000.0000001B.sdmp	Binary or memory string: \\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_1-10034
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_1-10025
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_2-10034
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	API call chain: ExitProcess graph end node	graph_2-10025

Source: C:\Users\user\Desktop\5uVReRlvME.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Code function: 0_2_050A0B7C rdtsc

0_2_050A0B7C

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Code function: 7_2_007A72FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_007A72FD

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D3652B mov eax, dword ptr fs:[00000030h]	0_2_00D3652B
Source: C:\Users\user\Desktop\5uVReRlvME.exe	Code function: 0_2_00D3A302 mov eax, dword ptr fs:[00000030h]	0_2_00D3A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A2A302 mov eax, dword ptr fs:[00000030h]	1_2_00A2A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 1_2_00A2652B mov eax, dword ptr fs:[00000030h]	1_2_00A2652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A2A302 mov eax, dword ptr fs:[00000030h]	2_2_00A2A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 2_2_00A2652B mov eax, dword ptr fs:[00000030h]	2_2_00A2652B
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007C619E mov edi, dword ptr fs:[00000030h]	7_2_007C619E
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_00791690 mov edi, dword ptr fs:[00000030h]	7_2_00791690

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Code function: 7_2_007AC705 GetProcessHeap,

7_2_007AC705

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_0079E06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0079E06C
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_007A72FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_007A72FD
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_0079E42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0079E42C
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: 7_2_0079E420 SetUnhandledExceptionFilter,	7_2_0079E420

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Code function: 7_2_007C619E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

7_2_007C619E

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Memory written: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Memory written: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: a762d7e2e8.exe, 00000007.00000002.2452308276.0000000002C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat
Source: ac8336f967.exe, 0000000B.00000002.4261679137.0000000000F76000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: fieldhitty.click
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: 4c60777cc9.exe, 00000015.00000002.3281462313.000000000150E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bellflamre.click
Source: c36de44bba.exe, 0000001F.00000002.3515816157.0000000000851000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: mindhandru.buzz
Source: gretsylgaw_638708682569357197.exe, 00000020.00000002.3605047081.00000000000E1000.00000040.00000001.01000000.0000001A.sdmp	String found in binary or memory: crownybusher.click

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

Thread register set: target process: 7720

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140000000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140001000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 140008000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 14000B000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 14000D000
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 4C26A29010

Source: C:\Users\user\Desktop\5uVReRlvME.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe "C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe "C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe "C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe "C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe "C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe "C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe "C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe "C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe "C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe "C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Process created: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe "C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	Process created: C:\ProgramData\idmans\idmans.exe "C:\ProgramData\idmans\idmans.exe"
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Process created: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe "C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe"
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Process created: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe "C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: ec6b49ebff.exe, 00000012.00000002.4356957290.00000000009B6000.00000040.00000001.01000000.0000000F.sdmp	Binary or memory string: BProgram Manager
Source: 1b18db46b2.exe, 00000024.00000002.3909276728.0000000000932000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 20da271f67.exe, 00000021.00000002.4263432935.00000000006AA000.00000040.00000001.01000000.0000001B.sdmp	Binary or memory string: ZProgram Manager
Source: c36de44bba.exe, 0000001F.00000002.3516047886.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp, c36de44bba.exe, 00000023.00000002.3740219285.0000000000A2A000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: &Program Manager
Source: 5uVReRlvME.exe, 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: wProgram Manager

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_007B0062
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,	7_2_007B08CD
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,	7_2_007ABA4C
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: EnumSystemLocalesW,	7_2_007B02B3
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_007B034E
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: EnumSystemLocalesW,	7_2_007B05A1
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,	7_2_007B0600
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: EnumSystemLocalesW,	7_2_007B06D5
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,	7_2_007B0720
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: EnumSystemLocalesW,	7_2_007ABFF0
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_007B07C7

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation

Source: C:\Users\user\Desktop\5uVReRlvME.exe

Code function: 0_2_00D1CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00D1CBEA

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Overwrites Mozilla Firefox settings

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite

Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: procmon.exe
Source: a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: wireshark.exe
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606272422.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663803632.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689896524.0000000003436000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606272422.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202887159.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202656457.0000000003B61000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4202417826.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: c36de44bba.exe, 00000027.00000003.4100349907.0000000001365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.skotes.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5uVReRlvME.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 1b18db46b2.exe PID: 5444, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a762d7e2e8.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ac8336f967.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4c60777cc9.exe PID: 2328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c36de44bba.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: 30.2.72573a0b5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.72573a0b5a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.438cf38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 28.2.72573a0b5a.exe.409b8f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.72573a0b5a.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.409b8f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4260726771.0000000000291000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: a762d7e2e8.exe	String found in binary or memory: llets/ElectronCash
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: a762d7e2e8.exe, 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmk
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: soonmaintain.exe, 00000014.00000002.3737746500.000002307DC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \\walletsRoaming\Bitcoin\walletsBitcoinCoreRoaming\DashCore\walletsDashCoreRoaming\Litecoin\walletsLitecoinCoreRoaming\DogecoinDogecoinCorewallet.datLocal\Coinomi\Coinomi\walletsCoinomiRoaming\Electrum\walletsElectrumRoaming\Qtum\walletsQtumRoaming\ArmoryArmory.walletRoaming\Exodus\exodus.walletExodusRoaming\Electrum-LTC\walletsElectrumLTCRoaming\atomic\Local Storage\leveldbAtomicRoaming\WalletWasabi\Client\WalletsWasabiWalletRoaming\ElectronCash\walletsElectronCashRoaming\Sparrow\walletsSparrow
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: a762d7e2e8.exe, 00000009.00000003.2581349627.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: a762d7e2e8.exe, 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Binance\Local State
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS

Source: C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 20.2.soonmaintain.exe.23065568508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.soonmaintain.exe.23065568508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.InstallUtil.exe.140000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.InstallUtil.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2606272422.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3737746500.000002307DC23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.4036970096.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2581455167.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000003.4062581686.0000000001369000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3631864100.0000023065988000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.3681499880.0000000140000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4175876589.0000000001386000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2581349627.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.3505275182.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.4175178439.0000000001386000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: a762d7e2e8.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ac8336f967.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: soonmaintain.exe PID: 2516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4c60777cc9.exe PID: 2328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7720, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: 1b18db46b2.exe PID: 5444, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: a762d7e2e8.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ac8336f967.exe PID: 7020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4c60777cc9.exe PID: 2328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c36de44bba.exe PID: 8064, type: MEMORYSTR
Source: Yara match	File source: 30.2.72573a0b5a.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.72573a0b5a.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.438cf38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 28.2.72573a0b5a.exe.409b8f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.72573a0b5a.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.72573a0b5a.exe.409b8f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, type: DROPPED

Yara detected Remcos RAT

Source: Yara match	File source: 13.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vncgroups.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.idmans.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vncgroups.exe PID: 5544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 3132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 5236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 1016, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: idmans.exe PID: 2696, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\idmans\idmans.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 33.2.20da271f67.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.4260726771.0000000000291000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 20da271f67.exe PID: 6608, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: 28.2.72573a0b5a.exe.40639b8.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	511 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	2 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	LSASS Memory	23 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	412 Process Injection	3 Obfuscated Files or Information	Security Account Manager	258 System Information Discovery	SMB/Windows Admin Shares	41 Data from Local System	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 Scheduled Task/Job	13 Software Packing	NTDS	1091 Security Software Discovery	Distributed Component Object Model	1 Email Collection	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	31 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	471 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Masquerading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5uVReRlvME.exe	71%	Virustotal		Browse
5uVReRlvME.exe	71%	ReversingLabs	Win32.Backdoor.Remcos
5uVReRlvME.exe	100%	Avira	TR/Crypt.TPM.Gen
5uVReRlvME.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	HEUR/AGEN.1308970
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	HEUR/AGEN.1320706
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	HEUR/AGEN.1309903
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	100%	Avira	BDS/Backdoor.Gen
C:\ProgramData\idmans\idmans.exe	100%	Avira	BDS/Backdoor.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	100%	Joe Sandbox ML
C:\ProgramData\idmans\idmans.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\idmans\idmans.exe	91%	ReversingLabs	Win32.Backdoor.Remcos
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dll[1]	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe	91%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe	35%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe	61%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe	68%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe	48%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe	91%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe	61%	ReversingLabs	Win64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe	35%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorNetT
C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorNetT
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	71%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\Temp\dD03eDN3F3\Bunifu_UI_v1.5.3.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe (copy)	87%	ReversingLabs	Win32.Trojan.LummaStealer
C:\zrjmnqcrx\gretsylgaw_638708682569357197.exe	87%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://fieldhitty.click:443/api	0%	Avira URL Cloud	safe
https://prisonyfork.buzz:443/api8ZvdX5	0%	Avira URL Cloud	safe
http://45.89.196.115/core/sendPart	0%	Avira URL Cloud	safe
http://185.156.73.23/add?substr=mixtwo&s=three&sub=empUU_	0%	Avira URL Cloud	safe
https://fieldhitty.click/apiob	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/api	100%	Avira URL Cloud	malware
http://specs.openid.net/extensions/ui/1.0/mode/popup	0%	Avira URL Cloud	safe
https://pancakedipyps.click/apiH	100%	Avira URL Cloud	malware
http://185.215.113.206/68b591d6548ec281/msvcp140.dllL	100%	Avira URL Cloud	malware
https://pancakedipyps.click/api6p	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/s	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/t	0%	Avira URL Cloud	safe
https://fieldhitty.click/s	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/apiF9	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/Y	0%	Avira URL Cloud	safe
https://pancakedipyps.click/apioqj	100%	Avira URL Cloud	malware
https://fieldhitty.click/p	0%	Avira URL Cloud	safe
http://185.156.73.23/files/downloadhtml	0%	Avira URL Cloud	safe
https://fieldhitty.click/	0%	Avira URL Cloud	safe
http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	0%	Avira URL Cloud	safe
https://pancakedipyps.click/buS	100%	Avira URL Cloud	malware
http://185.156.73.23/fil=	0%	Avira URL Cloud	safe
https://crownybusher.click/api	0%	Avira URL Cloud	safe
https://prisonyfork.buzz/6	0%	Avira URL Cloud	safe
http://185.156.73.23/files/downloadarse-	0%	Avira URL Cloud	safe

Name	Malicious	Reputation
aspecteirs.lat	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
energyaffai.lat	false	high
grannyejh.lat	false	high
necklacebudi.lat	false	high
crosshuaht.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://fieldhitty.click:443/api	ac8336f967.exe, 0000000B.00000003.4134263076.0000000003B5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/	4c60777cc9.exe, 00000017.00000002.3622631028.0000000003362000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3411143099.0000000003362000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/	20da271f67.exe, 00000021.00000002.4269061613.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tienda4/musical/raw/refs/heads/main/vncgroups.exe	skotes.exe, 00000006.00000003.2603551440.000000000571A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fieldhitty.click/apiob	ac8336f967.exe, 0000000B.00000003.4171205739.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4171472462.0000000003B61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://specs.openid.net/extensions/ui/1.0/mode/popup	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://axschema.org/company/nameBhttp://axschema.org/company/title:http://axschema.org/birthDateNhtt	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206Local	20da271f67.exe, 00000021.00000002.4260726771.00000000003F7000.00000040.00000001.01000000.0000001B.sdmp	false		high
http://specs.openid.net/auth/2.0$dnoa.request_nonce	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz:443/api8ZvdX5	4c60777cc9.exe, 00000017.00000003.3613708713.0000000003364000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529592005.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3486678069.0000000003355000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3556888068.0000000003359000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3487108704.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588339020.0000000003360000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/68b591d6548ec281/nss3.dll	20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/api	4c60777cc9.exe, 00000017.00000002.3621820924.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000002.3622030222.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3554641473.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0	a82132a0ca.exe, 0000000F.00000003.2953144035.0000000001CB2000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3122052257.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/ktiwpptkkmgmawd.exe	skotes.exe, 00000006.00000003.3251127501.0000000005739000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3617367290.0000000005748000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3628582558.0000000005749000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.3251067599.0000000005730000.00000004.00000020.00020000.00000000.sdmp, da7b434153.exe, 00000018.00000000.3250997932.0000000000A72000.00000002.00000001.01000000.00000015.sdmp	false		high
https://s.ytimg.com;	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/api	c36de44bba.exe, 00000027.00000003.4100349907.0000000001365000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/add?substr=mixtwo&s=three&sub=empUU_	ec6b49ebff.exe, 00000012.00000002.4358805829.0000000000F95000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/tienda4/musical/refs/heads/main/vncgroups.exeoj=	skotes.exe, 00000006.00000003.2603439559.000000000075B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/apiH	a762d7e2e8.exe, 00000009.00000003.2687257225.0000000000E62000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663803632.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689411306.0000000000E64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/	skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/of	72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.16/mine/random.exed	c36de44bba.exe, 00000027.00000003.4255554330.0000000001365000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/ipbefore	a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	false		high
http://openid.net/sreg/1.05http://openid.net/sreg/1.1	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://specs.openid.net/extensions/oauth/1.0	72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://axschema.org/contact/postalAddress/homephttp://axschema.org/contact/postalAddressAdditional/h	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.89.196.115/core/sendPart	InstallUtil.exe, 00000022.00000002.3685310282.00000160A9913000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	a762d7e2e8.exe, 00000009.00000003.2501208708.0000000003462000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4068808777.0000000003B85000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3352307680.0000000003382000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/msvcp140.dllL	20da271f67.exe, 00000021.00000002.4269061613.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/api6p	a762d7e2e8.exe, 00000009.00000003.2581308378.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2606051358.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2581436155.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://html4/loose.dtd	a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	false		high
http://185.215.113.206/68b591d6548ec281/vcruntime140.dll	20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpd	20da271f67.exe, 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://axschema.org/person/genderFhttp://axschema.org/media/biographyBhttp://axschema.org/pref/langu	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
http://axschema.org/namePersonJhttp://axschema.org/namePerson/prefixHhttp://axschema.org/namePerson/	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/s	4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3535105333.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3536009791.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://prisonyfork.buzz/t	4c60777cc9.exe, 00000017.00000003.3529592005.0000000003360000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/steam/random.exeo	skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/apiF9	4c60777cc9.exe, 00000017.00000002.3622030222.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3554641473.0000000000E07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/68b591d6548ec281/sqlite3.dll	20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz/pi	c36de44bba.exe, 0000001F.00000003.3512965695.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000003.3514483976.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 0000001F.00000002.3518238968.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000023.00000002.3738851983.00000000006C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.css	a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	false		high
https://fieldhitty.click/s	ac8336f967.exe, 0000000B.00000003.4202887159.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://recaptcha.net/recaptcha/;	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fieldhitty.click/p	ac8336f967.exe, 0000000B.00000003.4232845132.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4234774124.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/c4becf79229cb002.phpr	20da271f67.exe, 00000021.00000002.4283284529.000000000B813000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mindhandru.buzz:443/api	c36de44bba.exe, 00000023.00000002.3738851983.0000000000699000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.215.113.206/c4becf79229cb002.phpv	20da271f67.exe, 00000021.00000002.4269061613.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/Y	4c60777cc9.exe, 00000017.00000003.3528248080.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3535105333.0000000000E07000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3536009791.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3529696709.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://broadcast.st.dl.eccdnx.com	72573a0b5a.exe, 0000001E.00000002.3476680987.000000000129E000.00000004.00000020.00020000.00000000.sdmp, 72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	a762d7e2e8.exe, 00000009.00000003.2550598767.0000000003468000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4139071886.0000000003B8A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3442713164.000000000338C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.156.73.23/files/downloadhtml	ec6b49ebff.exe, 00000012.00000003.3821411664.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783610230.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.206/68b591d6548ec281/mozglue.dll	20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://axschema.org/3http://schema.openid.net/3http://openid.net/schema/	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	4c60777cc9.exe, 00000017.00000003.3454565026.000000000346F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/apioqj	a762d7e2e8.exe, 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E79000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687318498.0000000000E78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/legal/	72573a0b5a.exe, 0000001E.00000002.3475963154.000000000128C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.jpg	a82132a0ca.exe, 0000000F.00000003.2792594691.00000000078D0000.00000004.00001000.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.2993305784.00000000010B1000.00000040.00000001.01000000.0000000E.sdmp	false		high
https://fieldhitty.click/P	ac8336f967.exe, 0000000B.00000003.4232845132.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4234774124.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://fieldhitty.click/	ac8336f967.exe, 0000000B.00000002.4263396767.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	a82132a0ca.exe, 0000000F.00000003.2953144035.0000000001CB2000.00000004.00000020.00020000.00000000.sdmp, a82132a0ca.exe, 0000000F.00000002.3122052257.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crownybusher.click/api	gretsylgaw_638708682569357197.exe, 00000020.00000003.3604381039.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3633733219.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000002.3632510363.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, gretsylgaw_638708682569357197.exe, 00000020.00000003.3603941130.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://namespace.google.com/openid/xmlns	72573a0b5a.exe, 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, 72573a0b5a.exe, 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	a762d7e2e8.exe, 00000009.00000003.2553560241.0000000003446000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3461028065.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000002.4269061613.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	a762d7e2e8.exe, 00000009.00000003.2500403573.000000000347B000.00000004.00000800.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2500494859.0000000003479000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4067024065.0000000003B9A000.00000004.00000800.00020000.00000000.sdmp, ac8336f967.exe, 0000000B.00000003.4066837861.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351464081.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351368336.000000000339B000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3351723749.0000000003399000.00000004.00000800.00020000.00000000.sdmp, 20da271f67.exe, 00000021.00000003.3867140930.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.3854937238.0000000005B39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/buS	a762d7e2e8.exe, 00000009.00000002.2689430494.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2687296485.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, a762d7e2e8.exe, 00000009.00000003.2663518824.0000000000E69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://raw.githubusercontent.com/tienda4/musical/refs/heads/main/vncgroups.exe	skotes.exe, 00000006.00000003.2603439559.000000000075B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2603439559.0000000000757000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000003.2636727447.0000000000750000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.156.73.23/fil=	ec6b49ebff.exe, 00000012.00000003.3869239055.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3745732154.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.4040573070.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783474559.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3681536119.000000000598B000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3821253818.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3954069565.000000000598E000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3908359304.000000000598E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://prisonyfork.buzz/6	4c60777cc9.exe, 00000017.00000003.3614202103.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3614156408.000000000335A000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000003.3588339020.0000000003360000.00000004.00000800.00020000.00000000.sdmp, 4c60777cc9.exe, 00000017.00000002.3622631028.0000000003362000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.215.113.16/steam/random.exe	skotes.exe, 00000006.00000003.3628087924.0000000005706000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4255718056.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, c36de44bba.exe, 00000027.00000003.4255554330.0000000001365000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	soonmaintain.exe, 00000014.00000002.3712880410.0000023075481000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3712880410.0000023075408000.00000004.00000800.00020000.00000000.sdmp, soonmaintain.exe, 00000014.00000002.3752325638.000002307DE20000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.156.73.23/files/downloadarse-	ec6b49ebff.exe, 00000012.00000003.3975746546.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3821411664.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3908507686.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3783610230.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3975487571.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, ec6b49ebff.exe, 00000012.00000003.3869756780.00000000056CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	72573a0b5a.exe, 0000001E.00000002.3476851330.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
23.218.208.109	unknown	United States	6453	AS6453US	false
34.226.108.155	unknown	United States	14618	AMAZON-AESUS	false
104.21.112.1	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.209.202	unknown	United States	13335	CLOUDFLARENETUS	false
185.156.73.23	unknown	Russian Federation	48817	RELDAS-NETRU	false
104.21.89.115	unknown	United States	13335	CLOUDFLARENETUS	false
23.55.153.106	unknown	United States	20940	AKAMAI-ASN1EU	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
172.217.21.36	unknown	United States	15169	GOOGLEUS	false
185.199.110.133	unknown	Netherlands	54113	FASTLYUS	false
172.67.197.192	unknown	United States	13335	CLOUDFLARENETUS	false
31.41.244.11	unknown	Russian Federation	61974	AEROEXPRESS-ASRU	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
172.67.165.185	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.181.142	unknown	United States	15169	GOOGLEUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
20.233.83.145	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
45.89.196.115	unknown	Russian Federation	35913	DEDIPATH-LLCUS	false
194.163.146.146	unknown	Germany	6659	NEXINTO-DE	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
5.101.3.217	unknown	Russian Federation	34665	PINDC-ASRU	false
64.233.161.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581276
Start date and time:	2024-12-27 09:47:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 20m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	68
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	5uVReRlvME.exe renamed because original name is a hash value
Original Sample Name:	43bfce1d0b5a83f67f9cfcbe5be0cd70eb0e0ff4d51a8e7e2d462c46bb892161.exe
Detection:	MAL
Classification:	mal100.phis.troj.adwa.spyw.expl.evad.winEXE@90/64@0/25
EGA Information:	Successful, ratio: 80%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Execution Graph export aborted for target a762d7e2e8.exe, PID 8040 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
03:49:01	API Interceptor	11725692x Sleep call for process: skotes.exe modified
03:49:16	API Interceptor	7x Sleep call for process: a762d7e2e8.exe modified
03:50:06	API Interceptor	2449516x Sleep call for process: idmans.exe modified
03:50:34	API Interceptor	9x Sleep call for process: 4c60777cc9.exe modified
03:50:36	API Interceptor	212740x Sleep call for process: ec6b49ebff.exe modified
03:50:38	API Interceptor	25x Sleep call for process: powershell.exe modified
03:50:44	API Interceptor	8x Sleep call for process: 72573a0b5a.exe modified
03:50:59	API Interceptor	5305688x Sleep call for process: da7b434153.exe modified
03:50:59	API Interceptor	228x Sleep call for process: c36de44bba.exe modified
03:51:04	API Interceptor	4x Sleep call for process: soonmaintain.exe modified
03:51:08	API Interceptor	2x Sleep call for process: gretsylgaw_638708682569357197.exe modified
03:51:23	API Interceptor	3x Sleep call for process: svchost.exe modified
03:51:42	API Interceptor	783x Sleep call for process: 20da271f67.exe modified
03:51:52	API Interceptor	7x Sleep call for process: ac8336f967.exe modified
08:47:57	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
08:49:35	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W "C:\ProgramData\idmans\idmans.exe"
08:49:43	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W "C:\ProgramData\idmans\idmans.exe"
08:49:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run idmans-KXQ59W "C:\ProgramData\idmans\idmans.exe"
08:51:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run c36de44bba.exe C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe
08:51:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run c36de44bba.exe C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe
08:51:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 20da271f67.exe C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
08:51:30	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1b18db46b2.exe C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe
08:51:40	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a0f4fa9b49.exe C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe
08:51:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe
08:52:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 20da271f67.exe C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
08:52:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1b18db46b2.exe C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe
08:52:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a0f4fa9b49.exe C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe
08:53:23	Task Scheduler	Run new task: Intel_PTT_EK_Recertification path: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.43/Zu7JuNko/index.php
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	oTZfvSwHTq.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	ZBbOXn0a3R.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	0Pm0sadcCP.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	uLkHEqZ3u3.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
23.218.208.109	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	RECOUVREMENT -FACTURER1184521.pdf	Get hash	malicious	Unknown	Browse
	https://garfieldthecat.tech/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse
	https://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
	attachment.eml	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	LIWYEYWSOj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	CAo57G5Cio.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	ZvHSpovhDw.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	8WRONDszv4.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	185.215.113.16
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.206
	Idau8QuYa3.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	7jKx8dPOEs.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
AS6453US	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	23.218.208.109
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	23.218.208.109
	jklspc.elf	Get hash	malicious	Unknown	Browse	64.86.213.123
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	23.218.208.109
	[External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.eml	Get hash	malicious	Unknown	Browse	23.218.208.137
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	180.87.179.114
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.218.208.109
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	180.87.100.231
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	80.231.239.225
	http://northwesthousingservices.discussripped.com	Get hash	malicious	HTMLPhisher	Browse	23.218.209.163
AMAZON-AESUS	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	34.195.210.183
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	3.218.7.103

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	i8Vwc7iOaG.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, Vidar	Browse
	glpEv3POe7.exe	Get hash	malicious	Stealc, Vidar	Browse
	gYjK72gL17.exe	Get hash	malicious	Stealc, Vidar	Browse
	iUKUR1nUyD.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	xlSzrIs5h6.exe	Get hash	malicious	LummaC, Stealc	Browse
	1lhZVZx5nD.exe	Get hash	malicious	Stealc, Vidar	Browse
	Qsqi9KQXgy.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BAAEHDBFIDAFIDHJEBFB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DHJDAFIE

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GDHDAEBG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKECFCFBGDHIECAAFIID

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x4d6093d8, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4222070535749324
Encrypted:	false
SSDEEP:	1536:PSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Pazag03A2UrzJDO
MD5:	7C2AEB33F1FD6DA34B34AC89DD01E535
SHA1:	F12580D1F07F7E203D452EBDA6B07B7C097059A9
SHA-256:	4EAA8159E913D729360F0D213CC92D2015BC8629F658DE862D2690142C07125B
SHA-512:	4B46078A8AF526974AA2C3E1B78B65AB87E6EC45DDC00EB2AF4FC7F88F8D14A09906C2D2977144D8B06DCCE81A9EC847171726275FB8A22041220021853FC315
Malicious:	false
Preview:	M`..... .......Y.......X\...;...{......................n.%.....)6...\|...3...\|..h.#.....)6...\|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................S..)6...\|..................x6Cb)6...\|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DRWgoZo325.exe, Detection: malicious, Browse Filename: i8Vwc7iOaG.exe, Detection: malicious, Browse Filename: glpEv3POe7.exe, Detection: malicious, Browse Filename: gYjK72gL17.exe, Detection: malicious, Browse Filename: iUKUR1nUyD.exe, Detection: malicious, Browse Filename: cMTqzvmx9u.exe, Detection: malicious, Browse Filename: ElmEHL9kP9.exe, Detection: malicious, Browse Filename: xlSzrIs5h6.exe, Detection: malicious, Browse Filename: 1lhZVZx5nD.exe, Detection: malicious, Browse Filename: Qsqi9KQXgy.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\idmans\idmans.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	493056
Entropy (8bit):	6.586663160196855
Encrypted:	false
SSDEEP:	12288:f9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5q+P32:943HfwIGYMcn5PJrZk+
MD5:	532ABCCDFE34F585BE8EEC40BDC7972D
SHA1:	7B228509DCF22388CEFF2B372C0A2F50C7382A50
SHA-256:	0BE4487462EDE94362A2CE208E7C256E1C2D6ACF361B6CDA72FBAA2A3A66E6B8
SHA-512:	88A15DB9474153C89FC8901DD4AD701D258F78682D81CCD88A711DD82F15B8090729A7D9875526B6A4B166BF7A94E9DC7D4E561E9D6D7539BE9C5677CC80CE27
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\idmans\idmans.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\idmans\idmans.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\ProgramData\idmans\idmans.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H..........PE..L...r.Rg.................`..."......J;.......p....@......................................................................... ........`...K.......................;......8...........................H...@............p...............................text...-_.......`.................. ..`.rdata.......p.......d..............@..@.data....]..........................@....rsrc....K...`...L..................@..@.reloc...;.......<...J..............@..B................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\72573a0b5a.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	617
Entropy (8bit):	5.3554278163807965
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAt92n4M9XKbbDLI4MWuPJKAVKharkvoDLI4MWuCv:ML9E4Ke84qXKDE4KhKiKhIE4Ks
MD5:	783B5197F36053BBA046C2EF2515F80E
SHA1:	49CB890E4C6536FD79EF1C7BE83949509B37A824
SHA-256:	9513A3E5E55C5471F606E5E0B06C46CD4E357F46602BBF43F24E1E70572F5F91
SHA-512:	6ACD461D38A8F665E6CF4B585B720ABEB0B3F8556C817E576991DF758D9FFE68479B2E634EB60223C7B7909F34C7A1853F13F0CEE3CB4F7C5951228A91BE24C4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a0f4fa9b49.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\fuckingdllENCR[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	data
Category:	dropped
Size (bytes):	97296
Entropy (8bit):	7.9982317718947025
Encrypted:	true
SSDEEP:	1536:A1FazaNKjs9ezO6kGnCRFVjltPjM9Ew1MhiIeJfZCQdOlnq32YTCUZiyAS3tUX9F:k4zaMjVUGCRzbgqw1MoIeJyQ4nyqX9F
MD5:	E6743949BBF24B39B25399CD7C5D3A2E
SHA1:	DBE84C91A9B0ACCD2C1C16D49B48FAEAEC830239
SHA-256:	A3B82FC46635A467CC8375D40DDBDDD71CAE3B7659D2BB5C3C4370930AE9468C
SHA-512:	3D50396CDF33F5C6522D4C485D96425C0DDB341DB9BD66C43EAE6D8617B26A4D9B4B9A5AEE0457A4F1EC6FAC3CB8208C562A479DCAE024A50143CBFA4E1F15F6
Malicious:	false
Preview:	XM .4Ih..]...t.&.s...v.0{.v.vs'...:.l.h...e.....R....1...r.R+Fk....~.s.....Q.....r.T.b.....~c..[........;...j.@.0.%.....x...v.w.....<ru....Yre;.b6...HQ-...8.B..Q.a...R.:.h&r.......=.;r.k..T.@....l..;#..3!.O..x.}........y'<.GfQ.K.#.L5v..].......d....N{e..@................A\..<.t.u.X.O.n..Z.. .Xb.O<.Z...h~.(.W.f.z.V.4..L...%5.0...H..`s...y.B......(IL5s:aS}X.......M9.J.o....).'..M;n6]...W..n....)...L...._..e.....>....[....RA.........'...6.N..g6....IY.%h.. 3r....^..\.b~y./....h.2......ZLk....u}..V..<.fbD.<!.._2.zo..IE...P..O...u......P.......w#.6N..&l.R}GI...LY...N.yz..j..Hy.'..._.5..Pd9.y..+....6.q...).G.c...L#....5\.M....5U])....U(..~H.m....Y....G1.r.4.B..h........P..]i...M%.............)q......]....~\|..j...b..K!..N.7R.}T.2bsq..1...L^..!.\|q.D'...s.Ln...D@..bn%0=b.Q1.....+l...QXO\|.......NC.d......{.0....8F.....<.W.y..{o..j.3.....n..4.....eS]. K...o.B.H~.sh.1....m8....6{.ls..R..q..~....w._;....X*.#..U....6n.ODbT.+Zc....q....S.$-S`YT....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	540672
Entropy (8bit):	7.614709628313703
Encrypted:	false
SSDEEP:	12288:huB9du8NOZx84E5YoShCwrp1OkwWFewdYHMUzN4r52ki:i9du88Zx8VAwBkewVUckki
MD5:	9AB250B0DC1D156E2D123D277EB4D132
SHA1:	3B434FF78208C10F570DFE686455FD3094F3DD48
SHA-256:	49BFA0B1C3553208E59B6B881A58C94BB4AA3D09E51C3F510F207B7B24675864
SHA-512:	A30FB204B556B0DECD7FAB56A44E62356C7102BC8146B2DFD88E6545DEA7574E043A3254035B7514EE0C686A726B8F5BA99BCD91E8C2C7F39C105E2724080EF0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<...............................p....................................................J..l............................text...+........................... ..`.rdata..\|...........................@..@.data....%...`.......J..............@....tls.................`..............@....reloc..p............b..............@..B.bss................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2020864
Entropy (8bit):	7.940427480776965
Encrypted:	false
SSDEEP:	24576:+sxBcmJsYD5MtIE2i3Keuph8QVn6dhicrn8NUGOWk9jHA7sCE8Xw+v+sWavrGLSM:V+aibuLn6d/8G9jHS9bW5ztPXFB
MD5:	A799CA00B534622E3CE09CEDBB913F79
SHA1:	30FBC64022B704D4EE78B312FDC1F2A018522AD4
SHA-256:	C478F156FE5C34581FE6913183CC08C5103BABC310CB60250DBA395B261BBDEC
SHA-512:	493FBCF504C54B6FA215A9E865BFB0AD74DA564C94A61926ABE067071407B58E8EF578950816D8E4973BDB5F5CCBEF6392EA78C34D4B4107C0A6627B20B04040
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.........................................................................[.A.o.....@.....................................................\0...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... .0+...A.....................@...qvetuklh......l.....................@...wtstibuo............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995776
Entropy (8bit):	7.577883288243697
Encrypted:	false
SSDEEP:	49152:hVV5d9oUzDeXbUWYn539peVt5WA9M0XSexbUXM+OBF:fDX/zaXbUXn5OcAS0Xxxb
MD5:	3B6A8C673CDBE5C6944E92E7DE9F75CF
SHA1:	9B5F929487E34F165B823FFCEA633EE5DCC2F4C9
SHA-256:	FC30BAE1017793F98E10AF88272F516DAB229BAFE33DFA6B960B41FF3D141FD7
SHA-512:	34E0D737BD1BB3048F2FC15C47EE3A835F2EF0F3E70F0C0EB96A93E881FD481222B1B5E1114EE86FF83DE10A854DCFD54ED0DE1E1FB26EDD0F4DC7F068423895
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[3].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:...............P................. ........@.. ....................................@.....................................K...................................9................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............r..............@..B........................H.......H....8..............U...........................................6+.(..1`(......:+.(wGDY.(.............(...........................(......0..........(.... ........8........E....!...<...f.......8....s......... .....9....&8....s......... .....9....&8....s......... .....9....&8....s.........8....s.........8........0..............0..............0..............0..............0............................0..............0.....................0.............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2817536
Entropy (8bit):	6.4947934941030026
Encrypted:	false
SSDEEP:	49152:mRKWoGCSGEa/QjFAUo3pxdiwSHSmWOQHbcrNjr:mRKvGChEAQhJ4xdiwSHpLv
MD5:	93A5223F9562039D7EF899F0EC56FE60
SHA1:	3B9B22A10230419C0AA7B2A5EE1BC80AE2B56DB7
SHA-256:	026227529E6552A3C0FD2875D4ACFBD8A7460CAF501DC9168772995D967FEE12
SHA-512:	26EF84E2776437BDBC2229E3988B4109A8CC20491DE278970E4CC643C420E29ED02AF4C1EA36C001956F7E9472A5A5BE63C5F1F25DCE9E646B84059A1465A9F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....3.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...nrnabjtb........p..h..............@...ogfktabi. ... +....................@....taggant.@...@+..".................@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\add[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\dll[1]

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	242176
Entropy (8bit):	6.47050397947197
Encrypted:	false
SSDEEP:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
MD5:	2ECB51AB00C5F340380ECF849291DBCF
SHA1:	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
SHA-256:	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
SHA-512:	E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502272
Entropy (8bit):	7.646243580665455
Encrypted:	false
SSDEEP:	12288:6ZqOSYt4cgd2+Q5dzFEUuWL3/dlDOj7rJvc+:6sOSKgxQYrWLvQi+
MD5:	A771A9D93D804668B707E13403915080
SHA1:	5482681983965F4280E5D629A6A141DF6F0B57DF
SHA-256:	08826CEC79CAB7D2AA84C627F99DC6C2E918FFD501134B6D2433D22D99A7B4FD
SHA-512:	AFA4A96D0F0C9F441D4AA634B4ACE62438D73F5D8A361E19CE46A4106F06869504117B48937A6F488594D81CF3528ADE1FF85498C16D1F3707DCED136F9A8763
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5220864
Entropy (8bit):	5.502925943221917
Encrypted:	false
SSDEEP:	49152:IIupF1hZ3bCD872uazGAUMqvF8kqIqcT8zKVP:INhhZL52dbUfF8gqcAzKVP
MD5:	A82B9D32414422F485E9FF40E510675F
SHA1:	8FBE5D22749AC95163B3E10B268FB6BFC69C7FEE
SHA-256:	053FB7455E2FDC96818309F32DE65E5A102FD382E83912C836A567FC42D881F2
SHA-512:	5D7C67C2B41D505CEA2CEFF0B3602E7D23C7B1426A871B7ED308F51A39CD2896B3C82186C267D094E284A9BE01B9FC7BBA9A42305F1EC783BB9A2C167093CF6D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........O...........@...........................O.....i.P...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...gngdpjhn.....$......$.............@...poaqzqjh......O.......O.............@....taggant.0....O.."....O.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	493056
Entropy (8bit):	6.586663160196855
Encrypted:	false
SSDEEP:	12288:f9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5q+P32:943HfwIGYMcn5PJrZk+
MD5:	532ABCCDFE34F585BE8EEC40BDC7972D
SHA1:	7B228509DCF22388CEFF2B372C0A2F50C7382A50
SHA-256:	0BE4487462EDE94362A2CE208E7C256E1C2D6ACF361B6CDA72FBAA2A3A66E6B8
SHA-512:	88A15DB9474153C89FC8901DD4AD701D258F78682D81CCD88A711DD82F15B8090729A7D9875526B6A4B166BF7A94E9DC7D4E561E9D6D7539BE9C5677CC80CE27
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vncgroups[1].exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H..........PE..L...r.Rg.................`..."......J;.......p....@......................................................................... ........`...K.......................;......8...........................H...@............p...............................text...-_.......`.................. ..`.rdata.......p.......d..............@..@.data....]..........................@....rsrc....K...`...L..................@..@.reloc...;.......<...J..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\key[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.880179922675737
Encrypted:	false
SSDEEP:	3:gFsR0GOWW:gyRhI
MD5:	408E94319D97609B8E768415873D5A14
SHA1:	E1F56DE347505607893A0A1442B6F3659BEF79C4
SHA-256:	E29A4FD2CB1F367A743EA7CFD356DBD19AEB271523BBAE49D4F53257C3B0A78D
SHA-512:	994FA19673C6ADC2CC5EF31C6A5C323406BB351551219EE0EEDA4663EC32DAF2A1D14702472B5CF7B476809B088C85C5BE684916B73046DA0DF72236BC6F5608
Malicious:	false
Preview:	9tKiK3bsYm4fMuK47Pk3s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4523520
Entropy (8bit):	7.985643284885463
Encrypted:	false
SSDEEP:	98304:f9BerfMdJtZSrZBU0/2pF+TTwmddqkqNhoJKs5L:f9SMqYAqmdgNhoM
MD5:	EFD7BBABA8AA8E6865430D1FFCFBF2D5
SHA1:	A9C1B894DC0628909524F21C2B8DA3D80D4D1725
SHA-256:	044837966B88050AAFBA12D5765A42768DE8B1B55CD83A274DF9A0FCF17FEDE2
SHA-512:	EACC546270F7CC56567B2003FF0274EC063F756DDA74A523A571BE93197AE09167B37E6E644E67F586BBD23D4645684D00F5E5BE28F991DC19E6FCD281957FD9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...@....... I...@..........................p........E...@... ............................._.m.s.....m...............p......-...............................,...................................................... . ..m.......(.................@....rsrc.........m.......(.............@....idata ......m.......(.............@... ..:...m.......(.............@...sqttxtfh.@......@....(.............@...byszctih.....0........D.............@....taggant.0...@..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.210815025861932
Encrypted:	false
SSDEEP:	384:pgcgXHL1tlQFy6ATAQlCXXXgTGXkLKzgmbE3mPu2NX3ycUfQs0FgsFssAfYQ+GfL:pWL1jQUzTGUL2bSURCLYppSRWk7j
MD5:	2A73FA2FB9F993D5F412716C3369ED0A
SHA1:	750FE5A6926B18CF28F5D00195199B067AA3AE0E
SHA-256:	98BD987C16BC98A82F39AFCB3AC50623A9A2530294DB595363EDAA20E447E6D3
SHA-512:	C60C4E8F3EF8B5900BD4688F635952A3B699B4AA288B17F85DDE51E08C50C2B5A82CF5E60A54F0850AF2570CE4819E2B24D653F09F097E83B8CC43E5060E30D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..R..........6p... ........@.. ....................................`..................................o..O...................................To..8............................................ ............... ..H............text...<P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................p......H........8..p6...........................................................0...........(...........,..(.....8....r...p(.....rG..p(..... ....(......(..... . ,..r...p(.....8....r...p(.....(.....r#..p(......(.....re..p..&...(....(.....r...p(........(.....r...p.(......(....&r...p.(....(.....r...p(......(......rW..p...&...(....(.....r...p(......(......r...p...&...(....(.....r...p(......(......rG..p(........~....%-.&~......(...s....%.....(...+o.....!+..!o.....".ru..p."(....."(.....&.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\download[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2668544
Entropy (8bit):	6.1024828899386625
Encrypted:	false
SSDEEP:	49152:CAT1rDm9Jeg99E2spwr44UaaDB8v+oyLfwt3LE3eFqZHNZ25WYDo6fsWc6jlOaSo:CATNI9G2sOr44UaaDB8moVt3LE3eFqZw
MD5:	87330F1877C33A5A6203C49075223B16
SHA1:	55B64EE8B2D1302581AB1978E9588191E4E62F81
SHA-256:	98F2344ED45FF0464769E5B006BF0E831DC3834F0534A23339BB703E50DB17E0
SHA-512:	7C747D3EDB04E4E71DCE7EFA33F5944A191896574FEE5227316739A83D423936A523DF12F925EE9B460CCE23B49271F549C1EE5D77B50A7D7C6E3F31BA120C8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.Gra.)!a.)!a.)!.** l.)!., ..)!.- r.)!p-* s.)!p-- q.)!p-, G.)!.( d.)!a.(!?.)!.-! `.)!.-.!`.)!.-+ `.)!Richa.)!................PE..L.....eg.................&.........P.#.......&...@...........................).......(...@...................................'.<.....'.}.....................(..j....'.T...........................@.'.@.............&.@............................text.....&.......&................. ..`.rdata..,.....&.......&.............@..@.data.........'.......'.............@....fptable......'.......'.............@....rsrc...}.....'.......'.............@..@.reloc...j....(..l...L(.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[3].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1865728
Entropy (8bit):	7.948354426956053
Encrypted:	false
SSDEEP:	49152:KC9HU9KXqJ3BJS0AyuDVD1m8XV0XDK+BY:Dm0qJ3nvAfVDUXHm
MD5:	80EF44E8078DD87D1399FC27FAD67B01
SHA1:	5690860B154982423017E869A032499F6089CB95
SHA-256:	E0ED19EF61B0CFA0A57F8347A1A5A139FB8CBDA936694BAEB9585E833C5C97C0
SHA-512:	424C753468AB825A29A60CFA440F4B87374566AF00208D9123B8B3BC9F13676088DF253A4D4DDC77469116652E9A663935A47C8180B515977F5C9FC24FB60D5E
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@...........................I......:....@.................................Y@..m....0.......................A...................................................................................... . . .......d..................@....rsrc........0.......t..............@....idata .....@.......v..............@... .P*..P.......x..............@...ebdcmeyg....../......z..............@...cwlbrkyq......I......P..............@....taggant.0....I.."...V..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[4].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	971776
Entropy (8bit):	6.706097682311586
Encrypted:	false
SSDEEP:	24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8a+Qu9:ETvC/MTQYxsWR7a+Q
MD5:	B6E7FA7056D471A01E6524CA245D0C1E
SHA1:	BD5B8F3621CA13879571733B395C3F88A237708F
SHA-256:	FDAC0180BD57E05876618C0BD9A34264644225CE7A4E561FE5819C3698C673B3
SHA-512:	DEC5FE82353D13DA092BA54848AB7A1713A290872DD64F25A0AD17D9251097289D8B1FCA7D876CB97366DB2E366A8FCC6AD40CEAE80BC6382EDB1AE8E7146D97
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....hng.........."..........$......w.............@..........................0......v.....@...@.......@.....................d...\|....@...i.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....i...@...j..................@..@.reloc...u.......v...^..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	15612
Entropy (8bit):	5.0007665989277985
Encrypted:	false
SSDEEP:	384:d1VoGIpN6KQkj2qkjh4iUxehQVKoxOdBMNXp5rvOjJiYo0ib4J:d1V3IpNBQkj2Ph4iUxehYKoxOdBMNZd4
MD5:	A8D66A40EEA8831B03CDC478ED797E6E
SHA1:	F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE
SHA-256:	09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
SHA-512:	33C1DA734E45158C61EA1679202BAA3813C71901C9B5D481A09F244C9653C4DD76C1CD12378468579595C3C8CC92F60E868982BB26236841CDAE7BDB5B455C8F
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379938008936079
Encrypted:	false
SSDEEP:	48:wWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:wLHyIFKL3IZ2KRH9Oug8s
MD5:	642B2BB8F5469D7ACA5D78625A941C0F
SHA1:	49568AFB92968078732FB3887F5923D7663CC073
SHA-256:	7411341730810200323C82351BA6FCD1CC9F497A8405B1EF61FD4CE1BD10B706
SHA-512:	E050BBE5B9FD8AEE05F5BCF9A1BE0F2C7FE851D9CC32546E90D50B1C9892882081F3AF0CCDF1563BED0B3C6E02962E7AE03E9C2F84C5692466CD1CE0EDAD389E
Malicious:	false
Preview:	@...e.................................X..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	540672
Entropy (8bit):	7.614709628313703
Encrypted:	false
SSDEEP:	12288:huB9du8NOZx84E5YoShCwrp1OkwWFewdYHMUzN4r52ki:i9du88Zx8VAwBkewVUckki
MD5:	9AB250B0DC1D156E2D123D277EB4D132
SHA1:	3B434FF78208C10F570DFE686455FD3094F3DD48
SHA-256:	49BFA0B1C3553208E59B6B881A58C94BB4AA3D09E51C3F510F207B7B24675864
SHA-512:	A30FB204B556B0DECD7FAB56A44E62356C7102BC8146B2DFD88E6545DEA7574E043A3254035B7514EE0C686A726B8F5BA99BCD91E8C2C7F39C105E2724080EF0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<...............................p....................................................J..l............................text...+........................... ..`.rdata..\|...........................@..@.data....%...`.......J..............@....tls.................`..............@....reloc..p............b..............@..B.bss................................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2668544
Entropy (8bit):	6.1024828899386625
Encrypted:	false
SSDEEP:	49152:CAT1rDm9Jeg99E2spwr44UaaDB8v+oyLfwt3LE3eFqZHNZ25WYDo6fsWc6jlOaSo:CATNI9G2sOr44UaaDB8moVt3LE3eFqZw
MD5:	87330F1877C33A5A6203C49075223B16
SHA1:	55B64EE8B2D1302581AB1978E9588191E4E62F81
SHA-256:	98F2344ED45FF0464769E5B006BF0E831DC3834F0534A23339BB703E50DB17E0
SHA-512:	7C747D3EDB04E4E71DCE7EFA33F5944A191896574FEE5227316739A83D423936A523DF12F925EE9B460CCE23B49271F549C1EE5D77B50A7D7C6E3F31BA120C8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 48%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.Gra.)!a.)!a.)!.** l.)!., ..)!.- r.)!p-* s.)!p-- q.)!p-, G.)!.( d.)!a.(!?.)!.-! `.)!.-.!`.)!.-+ `.)!Richa.)!................PE..L.....eg.................&.........P.#.......&...@...........................).......(...@...................................'.<.....'.}.....................(..j....'.T...........................@.'.@.............&.@............................text.....&.......&................. ..`.rdata..,.....&.......&.............@..@.data.........'.......'.............@....fptable......'.......'.............@....rsrc...}.....'.......'.............@..@.reloc...j....(..l...L(.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	493056
Entropy (8bit):	6.586663160196855
Encrypted:	false
SSDEEP:	12288:f9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5q+P32:943HfwIGYMcn5PJrZk+
MD5:	532ABCCDFE34F585BE8EEC40BDC7972D
SHA1:	7B228509DCF22388CEFF2B372C0A2F50C7382A50
SHA-256:	0BE4487462EDE94362A2CE208E7C256E1C2D6ACF361B6CDA72FBAA2A3A66E6B8
SHA-512:	88A15DB9474153C89FC8901DD4AD701D258F78682D81CCD88A711DD82F15B8090729A7D9875526B6A4B166BF7A94E9DC7D4E561E9D6D7539BE9C5677CC80CE27
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H..........PE..L...r.Rg.................`..."......J;.......p....@......................................................................... ........`...K.......................;......8...........................H...@............p...............................text...-_.......`.................. ..`.rdata.......p.......d..............@..@.data....]..........................@....rsrc....K...`...L..................@..@.reloc...;.......<...J..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4523520
Entropy (8bit):	7.985643284885463
Encrypted:	false
SSDEEP:	98304:f9BerfMdJtZSrZBU0/2pF+TTwmddqkqNhoJKs5L:f9SMqYAqmdgNhoM
MD5:	EFD7BBABA8AA8E6865430D1FFCFBF2D5
SHA1:	A9C1B894DC0628909524F21C2B8DA3D80D4D1725
SHA-256:	044837966B88050AAFBA12D5765A42768DE8B1B55CD83A274DF9A0FCF17FEDE2
SHA-512:	EACC546270F7CC56567B2003FF0274EC063F756DDA74A523A571BE93197AE09167B37E6E644E67F586BBD23D4645684D00F5E5BE28F991DC19E6FCD281957FD9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...@....... I...@..........................p........E...@... ............................._.m.s.....m...............p......-...............................,...................................................... . ..m.......(.................@....rsrc.........m.......(.............@....idata ......m.......(.............@... ..:...m.......(.............@...sqttxtfh.@......@....(.............@...byszctih.....0........D.............@....taggant.0...@..."....D.............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2020864
Entropy (8bit):	7.940427480776965
Encrypted:	false
SSDEEP:	24576:+sxBcmJsYD5MtIE2i3Keuph8QVn6dhicrn8NUGOWk9jHA7sCE8Xw+v+sWavrGLSM:V+aibuLn6d/8G9jHS9bW5ztPXFB
MD5:	A799CA00B534622E3CE09CEDBB913F79
SHA1:	30FBC64022B704D4EE78B312FDC1F2A018522AD4
SHA-256:	C478F156FE5C34581FE6913183CC08C5103BABC310CB60250DBA395B261BBDEC
SHA-512:	493FBCF504C54B6FA215A9E865BFB0AD74DA564C94A61926ABE067071407B58E8EF578950816D8E4973BDB5F5CCBEF6392EA78C34D4B4107C0A6627B20B04040
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i...........nG@.....ZR.....ZC.....ZU.................Z\.....ZB.....ZG....Rich...................PE..L....,.e.....................@....................@.........................................................................[.A.o.....@.....................................................\0...................................................... . ..@......N..................@....rsrc.........@..p...^..............@....idata ......A.....................@... .0+...A.....................@...qvetuklh......l.....................@...wtstibuo............................@....taggant.0......."..................@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2282496
Entropy (8bit):	7.977141663846527
Encrypted:	false
SSDEEP:	49152:zbhNKaAGXnfj1V5GqSGIK7+yo22YdBwxpLwzvysDxeAPY01Y:/bHdGqCKSKdBwPUBDhw01Y
MD5:	71B104246AC3F43D058E7C67E8B07DEF
SHA1:	9CA447F8443A95DC7BFAF082AE88DB7C338CB580
SHA-256:	2EF46EDD099D06C685F70182337F9F0E1A8DD36B2977509EB5A309582F72E9C8
SHA-512:	4C58B1B89FFD82BEF5249ABE87506A0FB904384C239798D70EA4F5D5745168E143F0FD9340C52D526E997196DA4315906CEEDFAE8A923BDE26CC502C73B5BE3E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6..7...6..7...6..7...6..7...6...6...6..7...6..o6...6..7...6Rich...6................PE..d................."......\|...T"................@.............................0#.....T.#...`.......... ......................................<............"".................. #. .......T...........................................(... ............................text....{.......\|.................. ..`.rdata...".......$..................@..@.data...............................@....pdata..............................@..@.rsrc....0"......$".................@..@.reloc.. .... #.......".............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502272
Entropy (8bit):	7.646243580665455
Encrypted:	false
SSDEEP:	12288:6ZqOSYt4cgd2+Q5dzFEUuWL3/dlDOj7rJvc+:6sOSKgxQYrWLvQi+
MD5:	A771A9D93D804668B707E13403915080
SHA1:	5482681983965F4280E5D629A6A141DF6F0B57DF
SHA-256:	08826CEC79CAB7D2AA84C627F99DC6C2E918FFD501134B6D2433D22D99A7B4FD
SHA-512:	AFA4A96D0F0C9F441D4AA634B4ACE62438D73F5D8A361E19CE46A4106F06869504117B48937A6F488594D81CF3528ADE1FF85498C16D1F3707DCED136F9A8763
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....kg.........."......:.......................@.......................................@.....................................<....0.......................@..............................(........_..................p............................text....8.......:.................. ..`.rdata......P.......@..............@..@.data...T'..........................@....tls......... ......................@....rsrc........0......................@..@.reloc.......@......................@..B.bss.........`......................@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.210815025861932
Encrypted:	false
SSDEEP:	384:pgcgXHL1tlQFy6ATAQlCXXXgTGXkLKzgmbE3mPu2NX3ycUfQs0FgsFssAfYQ+GfL:pWL1jQUzTGUL2bSURCLYppSRWk7j
MD5:	2A73FA2FB9F993D5F412716C3369ED0A
SHA1:	750FE5A6926B18CF28F5D00195199B067AA3AE0E
SHA-256:	98BD987C16BC98A82F39AFCB3AC50623A9A2530294DB595363EDAA20E447E6D3
SHA-512:	C60C4E8F3EF8B5900BD4688F635952A3B699B4AA288B17F85DDE51E08C50C2B5A82CF5E60A54F0850AF2570CE4819E2B24D653F09F097E83B8CC43E5060E30D4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 35%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..R..........6p... ........@.. ....................................`..................................o..O...................................To..8............................................ ............... ..H............text...<P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................p......H........8..p6...........................................................0...........(...........,..(.....8....r...p(.....rG..p(..... ....(......(..... . ,..r...p(.....8....r...p(.....(.....r#..p(......(.....re..p..&...(....(.....r...p(........(.....r...p.(......(....&r...p.(....(.....r...p(......(......rW..p...&...(....(.....r...p(......(......r...p...&...(....(.....r...p(......(......rG..p(........~....%-.&~......(...s....%.....(...+o.....!+..!o.....".ru..p."(....."(.....&.

C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1995776
Entropy (8bit):	7.577883288243697
Encrypted:	false
SSDEEP:	49152:hVV5d9oUzDeXbUWYn539peVt5WA9M0XSexbUXM+OBF:fDX/zaXbUXn5OcAS0Xxxb
MD5:	3B6A8C673CDBE5C6944E92E7DE9F75CF
SHA1:	9B5F929487E34F165B823FFCEA633EE5DCC2F4C9
SHA-256:	FC30BAE1017793F98E10AF88272F516DAB229BAFE33DFA6B960B41FF3D141FD7
SHA-512:	34E0D737BD1BB3048F2FC15C47EE3A835F2EF0F3E70F0C0EB96A93E881FD481222B1B5E1114EE86FF83DE10A854DCFD54ED0DE1E1FB26EDD0F4DC7F068423895
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:...............P................. ........@.. ....................................@.....................................K...................................9................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............r..............@..B........................H.......H....8..............U...........................................6+.(..1`(......:+.(wGDY.(.............(...........................(......0..........(.... ........8........E....!...<...f.......8....s......... .....9....&8....s......... .....9....&8....s......... .....9....&8....s.........8....s.........8........0..............0..............0..............0..............0............................0..............0.....................0.............

C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1865728
Entropy (8bit):	7.948354426956053
Encrypted:	false
SSDEEP:	49152:KC9HU9KXqJ3BJS0AyuDVD1m8XV0XDK+BY:Dm0qJ3nvAfVDUXHm
MD5:	80EF44E8078DD87D1399FC27FAD67B01
SHA1:	5690860B154982423017E869A032499F6089CB95
SHA-256:	E0ED19EF61B0CFA0A57F8347A1A5A139FB8CBDA936694BAEB9585E833C5C97C0
SHA-512:	424C753468AB825A29A60CFA440F4B87374566AF00208D9123B8B3BC9F13676088DF253A4D4DDC77469116652E9A663935A47C8180B515977F5C9FC24FB60D5E
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..............................I...........@...........................I......:....@.................................Y@..m....0.......................A...................................................................................... . . .......d..................@....rsrc........0.......t..............@....idata .....@.......v..............@... .P*..P.......x..............@...ebdcmeyg....../......z..............@...cwlbrkyq......I......P..............@....taggant.0....I.."...V..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5220864
Entropy (8bit):	5.502925943221917
Encrypted:	false
SSDEEP:	49152:IIupF1hZ3bCD872uazGAUMqvF8kqIqcT8zKVP:INhhZL52dbUfF8gqcAzKVP
MD5:	A82B9D32414422F485E9FF40E510675F
SHA1:	8FBE5D22749AC95163B3E10B268FB6BFC69C7FEE
SHA-256:	053FB7455E2FDC96818309F32DE65E5A102FD382E83912C836A567FC42D881F2
SHA-512:	5D7C67C2B41D505CEA2CEFF0B3602E7D23C7B1426A871B7ED308F51A39CD2896B3C82186C267D094E284A9BE01B9FC7BBA9A42305F1EC783BB9A2C167093CF6D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d..d..d....s.\|....F.i....r.^..m.[.g..m.K.b....g..d.......w.w....E.e..Richd..........PE..L....dTg.....................(........O...........@...........................O.....i.P...@.................................M.$.a.....$.......................$..................................................................................... . ..$.......$.................@....rsrc.........$.......$.............@....idata ......$.......$.............@...gngdpjhn.....$......$.............@...poaqzqjh......O.......O.............@....taggant.0....O.."....O.............@...........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	971776
Entropy (8bit):	6.706097682311586
Encrypted:	false
SSDEEP:	24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8a+Qu9:ETvC/MTQYxsWR7a+Q
MD5:	B6E7FA7056D471A01E6524CA245D0C1E
SHA1:	BD5B8F3621CA13879571733B395C3F88A237708F
SHA-256:	FDAC0180BD57E05876618C0BD9A34264644225CE7A4E561FE5819C3698C673B3
SHA-512:	DEC5FE82353D13DA092BA54848AB7A1713A290872DD64F25A0AD17D9251097289D8B1FCA7D876CB97366DB2E366A8FCC6AD40CEAE80BC6382EDB1AE8E7146D97
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L....hng.........."..........$......w.............@..........................0......v.....@...@.......@.....................d...\|....@...i.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....i...@...j..................@..@.reloc...u.......v...^..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2817536
Entropy (8bit):	6.4947934941030026
Encrypted:	false
SSDEEP:	49152:mRKWoGCSGEa/QjFAUo3pxdiwSHSmWOQHbcrNjr:mRKvGChEAQhJ4xdiwSHpLv
MD5:	93A5223F9562039D7EF899F0EC56FE60
SHA1:	3B9B22A10230419C0AA7B2A5EE1BC80AE2B56DB7
SHA-256:	026227529E6552A3C0FD2875D4ACFBD8A7460CAF501DC9168772995D967FEE12
SHA-512:	26EF84E2776437BDBC2229E3988B4109A8CC20491DE278970E4CC643C420E29ED02AF4C1EA36C001956F7E9472A5A5BE63C5F1F25DCE9E646B84059A1465A9F6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....3.+...`.................................U...i....`..D........................................................................................................... . .@... ...@... ..............@....rsrc...D....`.......`..............@....idata . ...........f..............@...nrnabjtb........p..h..............@...ogfktabi. ... +....................@....taggant.@...@+..".................@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaiintain.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	7.3648707161155675
Encrypted:	false
SSDEEP:	49152:IX9AV3uOFXm1sfcqpN/gjyD4VnBBOj9a:IwBcq7gGg
MD5:	AA835D6591F41D6D07832CF3D74F53A2
SHA1:	F21285AC0A8B7BDDE5E5891C201702CBE1ED1F63
SHA-256:	7F0EE4BDBB8C63ADC31C9ACF4DDF598C6C43EAD11BCB8C814D0F0A3C5233FA40
SHA-512:	DA237435B9D92456A355BAD6EE0EFF0BB912280DBC20DBD61E05C9D1CC742F327FF0BCE99156B0A20E95FFAFBEBE0D70D52303469EC036AB911650A40B0977CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....kg................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......................................................................................................................".'.<.>.&.......................................................................................................................d........'......@B..............................;...Z...x.......................0...N...m................................................................................. .'./.".[.].(.)...........\...( ) ............................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1645056
Entropy (8bit):	7.3689768353218215
Encrypted:	false
SSDEEP:	49152:4XF3BLXp1wWoU0NxvEWc0H22NOuwBOj1a:63BLZStNyJ0H2ia
MD5:	92A9F111C456947F39B59EB9F13E4BF6
SHA1:	644253E99442B76BA5191A84A7DB0A956988BA95
SHA-256:	7DA88908E482FEC4CA9FD15C846070A79F223F358E65CC2F74416F10E030C9D6
SHA-512:	2A4B8D8D042E8E917612661F40F7030D8856D9BB97647331B86E6D86FC9B485A0F6E68A2A8C7A4B7CF5B393B2020876E3BCA1B6C6DA4692C6C1CD64868EA3353
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(.kg.........."...................... ....@...... .......................`............`...@......@............... ...............................@............................................................................................... ..H............text........ ...................... ..`.rsrc........@......................@..@........................................H.......................................................................................................................".'.<.>.&.......................................................................................................................d........'......@B..............................;...Z...x.......................0...N...m................................................................................. .'./.".[.].(.)...........\...( ) ....................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1adbdqzk.cqj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqzfqc3g.izz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tc12gztk.11y.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wc2mbb3l.xlu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\5uVReRlvME.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3282944
Entropy (8bit):	6.646187450967402
Encrypted:	false
SSDEEP:	49152:j7kcxFzkOpo8hL5yo7KiVtzhaXIxidXdgClBk2/k:jJPzkOpPtE4Xa4xidXxC2/k
MD5:	1588755C36BC56FE356BEA6F41B38DD6
SHA1:	FF66FDF5312A3054CD0E598BA5E74FA2EA60B1EB
SHA-256:	43BFCE1D0B5A83F67F9CFCBE5BE0CD70EB0E0FF4D51A8E7E2D462C46BB892161
SHA-512:	3C7099716826F75A10B3E2921D7D516A1F7057F004F69E5A0E4011F0FE4F23833156E560BC1D6839D7DC075F858F0C8CC6B9BDF256234DD3FD6F0739DA055763
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f............................. 2...........@..........................P2.....j.2...@.................................W...k.............................2...............................2..................................................... . ............................@....rsrc...............................@....idata ............................@...gvvbyobv.`+......Z+.................@...brrunild......2.......1.............@....taggant.0... 2.."....1.............@...........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\5uVReRlvME.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\dD03eDN3F3\Bunifu_UI_v1.5.3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	242176
Entropy (8bit):	6.47050397947197
Encrypted:	false
SSDEEP:	6144:SIQpxILDXGGMO7Ice9C5kQw2hWHcHTykhb:SIQpxILDXGGlET9n/cHG
MD5:	2ECB51AB00C5F340380ECF849291DBCF
SHA1:	1A4DFFBCE2A4CE65495ED79EAB42A4DA3B660931
SHA-256:	F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
SHA-512:	E241A48EAFCAF99187035F0870D24D74AE97FE84AAADD2591CCEEA9F64B8223D77CFB17A038A58EADD3B822C5201A6F7494F26EEA6F77D95F77F6C668D088E6B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Jl.X...........!..................... ........... ....................... ............@.....................................W.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........`..4e...........U..............................................}.Y.y.=.{.X.x.=..r...p.o2....o...(3.....o2...}....:..s.....(...........2r...p(;...&Vr...p.....r...p.......(....>.........}.......(C.....o...(D...(E...}.....(F...(E...(G...&>.........}.......(C.....o...(D...}.....(F...(E...(H...&".......>.........}....R..} .....{ ...oo.....{ ..."..}!.....{!......}.....{#....{....op....{....,...{ ...oo.....{!...oo.....{....B.....su...(v.....{#....{#...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.987570256738398
Encrypted:	false
SSDEEP:	24576:Zk3DQWeEnmEPHTJOzTL7x5oNDBviACw/OBYByJ0oNaTlCCCQ0C8acTobR:ZRrULMzf6d6g/OYsXaTVCxo
MD5:	990EC3DDAD4A74B16A404FBFDD19CEA2
SHA1:	C54F15ABEDE5CB1A187A9BA9BAA6EF0219BF6FFB
SHA-256:	073DE19F20CA9A4E34BCC00319BF0B4807360C2220769D3C4E45122244BD3A85
SHA-512:	C633F0B05B72455E47AEC9006AE2C6A51B4D62F1C00F721833DFF55771473501102F7F2B437A09518BDC0910BE7EB474EAF94E5C2788368BE62D865847D6172B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................@.............@...........................;...........@................................. P-..............................P-.........................................................................................................................@............0... ......."..............@................P...4...0..............@............@...0...$...d..............@.............'..p......................@....data....P...P-..N...B..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\5uVReRlvME.exe
File Type:	data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	3.378848471174179
Encrypted:	false
SSDEEP:	6:DMdEqrlVXflNeRKUEZ+lX1CGdKUe6tPjgsW2YRZuy0ltDut0:ov3f2RKQ1CGAFAjzvYRQVtut0
MD5:	B9DD229F8AF1D13F4AC085C2A40907A2
SHA1:	DD1183E15F14C5073319FE7F86D81481EE30AC2B
SHA-256:	66A5349346196317C09A6F9E1D52C0EB02EA910FB63B81C9A430235DCF3D5B78
SHA-512:	CD6FE64CD0A72A2C087A4E0153B1EA071A687658E29EF15E5EA96794EE0073E38ED848FF0851C53F74D04DA0EB6EE915F9C9A2F6129DCE6B78F60CF8AF10143A
Malicious:	false
Reputation:	unknown
Preview:	......C8.. C.4..o.F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................0.@3P.........................

C:\zrjmnqcrx\gretsylgaw_638708682569357197.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.987570256738398
Encrypted:	false
SSDEEP:	24576:Zk3DQWeEnmEPHTJOzTL7x5oNDBviACw/OBYByJ0oNaTlCCCQ0C8acTobR:ZRrULMzf6d6g/OYsXaTVCxo
MD5:	990EC3DDAD4A74B16A404FBFDD19CEA2
SHA1:	C54F15ABEDE5CB1A187A9BA9BAA6EF0219BF6FFB
SHA-256:	073DE19F20CA9A4E34BCC00319BF0B4807360C2220769D3C4E45122244BD3A85
SHA-512:	C633F0B05B72455E47AEC9006AE2C6A51B4D62F1C00F721833DFF55771473501102F7F2B437A09518BDC0910BE7EB474EAF94E5C2788368BE62D865847D6172B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig............................@.............@...........................;...........@................................. P-..............................P-.........................................................................................................................@............0... ......."..............@................P...4...0..............@............@...0...$...d..............@.............'..p......................@....data....P...P-..N...B..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.906890595608518
Encrypted:	false
SSDEEP:	3:SXhRi75n:SC5
MD5:	3A33AF4BC7DC9699EE324B91553C2B46
SHA1:	4CCE2BF1011CA006FAAB23506A349173ACC40434
SHA-256:	226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE
SHA-512:	960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D
Malicious:	false
Reputation:	unknown
Preview:	1.29548Enjoy!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.646187450967402
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5uVReRlvME.exe
File size:	3'282'944 bytes
MD5:	1588755c36bc56fe356bea6f41b38dd6
SHA1:	ff66fdf5312a3054cd0e598ba5e74fa2ea60b1eb
SHA256:	43bfce1d0b5a83f67f9cfcbe5be0cd70eb0e0ff4d51a8e7e2d462c46bb892161
SHA512:	3c7099716826f75a10b3e2921d7d516a1f7057f004f69e5a0e4011f0fe4f23833156e560bc1d6839d7dc075f858f0c8cc6b9bdf256234dd3fd6f0739da055763
SSDEEP:	49152:j7kcxFzkOpo8hL5yo7KiVtzhaXIxidXdgClBk2/k:jJPzkOpPtE4Xa4xidXxC2/k
TLSH:	7DE54BF2670473CFF08A16B8A11BCF465A9D83B54B2708C3995B647B7E63CC119BAD24
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x722000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F6EC87EE1AAh
psadbw mm6, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edx+ecx], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x320810	0x10	gvvbyobv
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3207c0	0x18	gvvbyobv
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x68000	c39552d917558affe19c74cdba712ac4	False	0.5593660794771634	data	7.129208139987393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x5d4	0x600	1e55db351164df1643ae87d7efa3ee0f	False	0.4303385416666667	data	5.417125179370491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gvvbyobv	0x6b000	0x2b6000	0x2b5a00	07e8280828953b3e712079b400a10a68	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
brrunild	0x321000	0x1000	0x400	7c6487a51a6cf12d982093332725406c	False	0.736328125	data	5.829914921254712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x322000	0x3000	0x2200	1d125f488e2498152a2525790e39df9b	False	0.08191636029411764	DOS executable (COM)	0.8773331990029077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x69070	0x3e4	XML 1.0 document, ASCII text			0.48092369477911645
RT_MANIFEST	0x69454	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:47:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\5uVReRlvME.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5uVReRlvME.exe"
Imagebase:	0xd00000
File size:	3'282'944 bytes
MD5 hash:	1588755C36BC56FE356BEA6F41B38DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:47:56
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0x7ff7699e0000
File size:	3'282'944 bytes
MD5 hash:	1588755C36BC56FE356BEA6F41B38DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:47:57
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x9f0000
File size:	3'282'944 bytes
MD5 hash:	1588755C36BC56FE356BEA6F41B38DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:49:00
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0x9f0000
File size:	3'282'944 bytes
MD5 hash:	1588755C36BC56FE356BEA6F41B38DD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:49:12
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"
Imagebase:	0x790000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:49:12
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:49:13
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024103001\a762d7e2e8.exe"
Imagebase:	0x790000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2606102060.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2606272422.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2581455167.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2581349627.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:49:22
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024104001\ac8336f967.exe"
Imagebase:	0xba0000
File size:	2'668'544 bytes
MD5 hash:	87330F1877C33A5A6203C49075223B16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.4203011469.0000000001386000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.4175876589.0000000001386000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000003.4175178439.0000000001386000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 48%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:49:32
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	532ABCCDFE34F585BE8EEC40BDC7972D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2643255550.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000003.2639566891.000000000060A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000000.2638786963.0000000000457000.00000002.00000001.01000000.0000000C.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Local\Temp\1024105001\vncgroups.exe, Author: ditekSHen
Antivirus matches:	Detection: 91%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:49:32
Start date:	27/12/2024
Path:	C:\ProgramData\idmans\idmans.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\idmans\idmans.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	532ABCCDFE34F585BE8EEC40BDC7972D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000000.2642157802.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\ProgramData\idmans\idmans.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\idmans\idmans.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\idmans\idmans.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\ProgramData\idmans\idmans.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 91%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	03:49:43
Start date:	27/12/2024
Path:	C:\ProgramData\idmans\idmans.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\idmans\idmans.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	532ABCCDFE34F585BE8EEC40BDC7972D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000000.2749404051.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.2751574905.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:49:45
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024106001\a82132a0ca.exe"
Imagebase:	0xb40000
File size:	4'523'520 bytes
MD5 hash:	EFD7BBABA8AA8E6865430D1FFCFBF2D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:49:52
Start date:	27/12/2024
Path:	C:\ProgramData\idmans\idmans.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\idmans\idmans.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	532ABCCDFE34F585BE8EEC40BDC7972D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000002.2839389736.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000010.00000000.2838521082.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:50:01
Start date:	27/12/2024
Path:	C:\ProgramData\idmans\idmans.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\idmans\idmans.exe"
Imagebase:	0x400000
File size:	493'056 bytes
MD5 hash:	532ABCCDFE34F585BE8EEC40BDC7972D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000000.2925845428.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000011.00000002.2926825766.0000000000457000.00000002.00000001.01000000.0000000D.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:50:02
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024107001\ec6b49ebff.exe"
Imagebase:	0x400000
File size:	2'020'864 bytes
MD5 hash:	A799CA00B534622E3CE09CEDBB913F79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000012.00000002.4357723733.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000012.00000002.4358748739.0000000000ED8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	03:50:19
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1024108001\557d4db723.exe"
Imagebase:	0x7ff6f8cf0000
File size:	2'282'496 bytes
MD5 hash:	71B104246AC3F43D058E7C67E8B07DEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:50:21
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\soonmaintain.exe
Imagebase:	0x23063670000
File size:	1'645'056 bytes
MD5 hash:	92A9F111C456947F39B59EB9F13E4BF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.3749941328.000002307DDC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3737746500.000002307DC23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3631864100.0000023065988000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.3631864100.0000023065474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:50:26
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Imagebase:	0xb40000
File size:	502'272 bytes
MD5 hash:	A771A9D93D804668B707E13403915080
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:50:26
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:50:32
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024109001\4c60777cc9.exe"
Imagebase:	0xb40000
File size:	502'272 bytes
MD5 hash:	A771A9D93D804668B707E13403915080
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000003.3505275182.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:50:33
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024110001\da7b434153.exe"
Imagebase:	0xa70000
File size:	23'552 bytes
MD5 hash:	2A73FA2FB9F993D5F412716C3369ED0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 35%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	03:50:34
Start date:	27/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff74ff10000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:50:34
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\zrjmnqcrx'
Imagebase:	0x130000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:50:34
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:50:43
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Imagebase:	0xbf0000
File size:	1'995'776 bytes
MD5 hash:	3B6A8C673CDBE5C6944E92E7DE9F75CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001C.00000000.3351582341.0000000000BF2000.00000002.00000001.01000000.00000017.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001C.00000002.3476587616.000000000427A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001C.00000002.3476587616.0000000004049000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:50:45
Start date:	27/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	03:50:46
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024111001\72573a0b5a.exe"
Imagebase:	0xb60000
File size:	1'995'776 bytes
MD5 hash:	3B6A8C673CDBE5C6944E92E7DE9F75CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001E.00000002.3472145351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:50:53
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Imagebase:	0x850000
File size:	1'865'728 bytes
MD5 hash:	80EF44E8078DD87D1399FC27FAD67B01
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:51:04
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gretsylgaw_638708682569357197.exe"
Imagebase:	0xe0000
File size:	1'282'048 bytes
MD5 hash:	990EC3DDAD4A74B16A404FBFDD19CEA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:51:07
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024113001\20da271f67.exe"
Imagebase:	0x290000
File size:	5'220'864 bytes
MD5 hash:	A82B9D32414422F485E9FF40E510675F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000021.00000002.4260726771.0000000000291000.00000040.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000021.00000002.4269061613.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	03:51:08
Start date:	27/12/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
Imagebase:	0x160a96d0000
File size:	41'552 bytes
MD5 hash:	909A1D386235DD5F6BA61B91BA34119D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000002.3681499880.0000000140000000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:51:10
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Imagebase:	0x850000
File size:	1'865'728 bytes
MD5 hash:	80EF44E8078DD87D1399FC27FAD67B01
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	03:51:16
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024114001\1b18db46b2.exe"
Imagebase:	0x870000
File size:	971'776 bytes
MD5 hash:	B6E7FA7056D471A01E6524CA245D0C1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:51:19
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xab0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:51:19
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	03:51:20
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024112001\c36de44bba.exe"
Imagebase:	0x850000
File size:	1'865'728 bytes
MD5 hash:	80EF44E8078DD87D1399FC27FAD67B01
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000003.4036970096.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000003.4062581686.0000000001369000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	03:51:20
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:51:20
Start date:	27/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	03:51:21
Start date:	27/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 --field-trial-handle=2240,i,11010108224617170616,3557015706047403577,262144 /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	03:51:23
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xab0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	03:51:23
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:51:25
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xab0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	03:51:25
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	03:51:26
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xab0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	03:51:26
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	03:51:26
Start date:	27/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xab0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	03:51:26
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	03:51:28
Start date:	27/12/2024
Path:	C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1024115001\a0f4fa9b49.exe"
Imagebase:	0xa30000
File size:	2'817'536 bytes
MD5 hash:	93A5223F9562039D7EF899F0EC56FE60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	133
Start time:	03:53:19
Start date:	27/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff71e800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	747
Total number of Limit Nodes:	24

Executed Functions

Function 00D3652B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00D3652A,?,?,?,?,?,00D37661), ref: 00D36567

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 06f25c0327ce28dbdd195e43bd6e44c4fc15956a207dd10523c5e66ae0204aa9
Instruction ID: bbac3bcd5609bee247e9428faa441cf50770fd80c32b8851ef7df22bab1ea9a6
Opcode Fuzzy Hash: 06f25c0327ce28dbdd195e43bd6e44c4fc15956a207dd10523c5e66ae0204aa9
Instruction Fuzzy Hash: ADE086301402087ECF297B18D82DD8C3B69EF51741F044810F91546125CB29EE41C5A0

Function 050A0B7C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529ce140cd0a4455da88c643fd23996663b1e2cd0308f177c12249134ef3d5b2
Instruction ID: 98bc8bd181656a44ba64b64496a63b26dccddb0a9535a2ff6d6a9a6d6c289a11
Opcode Fuzzy Hash: 529ce140cd0a4455da88c643fd23996663b1e2cd0308f177c12249134ef3d5b2
Instruction Fuzzy Hash: B20196D7189108BEE14296D17B396FE6B5AA6673B0B308421B407C6643D1A546885162

Function 00D05C10 Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 00D060FA
Keyboard Layout\Preload, xrefs: 00D06054
00000422, xrefs: 00D060C9
00000419, xrefs: 00D06098
0000043f, xrefs: 00D0612B

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 68aae8fcab5a0907d44edc240a544c5fcc40060e6ef2c6bd62b2eba55d959220
Instruction ID: de10f1d1bbea940a9d4f03cb98c1e268a59fcce44527e27d9fa3e5961f33fa23
Opcode Fuzzy Hash: 68aae8fcab5a0907d44edc240a544c5fcc40060e6ef2c6bd62b2eba55d959220
Instruction Fuzzy Hash: 63F1B27090025CAFEB24DF58DC85BDEBBB9EF45304F504199E908A72C1DBB59A84CFA4

Function 00D09BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: aebfe5b90443996881dfc6a7acb3c6457004b63b1a96b89b3a6f0bcf97f7802b
Instruction ID: a31f9dc3e665ddf590f08d118bb04ba6af6dc620c51bcf91e6c0991524a63db7
Opcode Fuzzy Hash: aebfe5b90443996881dfc6a7acb3c6457004b63b1a96b89b3a6f0bcf97f7802b
Instruction Fuzzy Hash: 20314871B012049BEB08DB7CECD97ADF7A6EB96320F248219E018973D6C77589848775

Function 00D09F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 15c14ac8ec3ef772cc4651c0317f9f3d5e170caee0b0e3d1a124c580053cf449
Instruction ID: 38fad451ee39abd17205168816f00418304866e405395bc92da19de7a1c30255
Opcode Fuzzy Hash: 15c14ac8ec3ef772cc4651c0317f9f3d5e170caee0b0e3d1a124c580053cf449
Instruction Fuzzy Hash: 343148317053049BEB18DB7CEC997ADBBA6EF85310F248219E018D73D6D77589808772

Function 00D0A079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ac64c6ba24f584fe0b0d56cd3f86fd8f7333a72b47e29510a015268eaa86a7ea
Instruction ID: 5ba424047f97ead428e11d8dd18aad66fea49621202f45612b90cd0e210c4550
Opcode Fuzzy Hash: ac64c6ba24f584fe0b0d56cd3f86fd8f7333a72b47e29510a015268eaa86a7ea
Instruction Fuzzy Hash: 7E3157317103049BEB08DB7CEC89BADB7A2DB96310F248219E018DB3D5C77699808B73

Function 00D0A1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 622be12e5daaccaf3709a4fb953abb19943c1c93790d51fe94dfba6228f5f5e0
Instruction ID: 3095325ce7e426a15c2fd38aac4b3d494852b4ab881c560e12532224f1cb67de
Opcode Fuzzy Hash: 622be12e5daaccaf3709a4fb953abb19943c1c93790d51fe94dfba6228f5f5e0
Instruction Fuzzy Hash: 803139317013449BEB08DB7CEC8D7ADB7A6EB96310F248219E018DB3D1D77689848776

Function 00D0A418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 09d36daf7cd255aae348079d96749f208e3feb177ef401ff25d5b0d7f846de72
Instruction ID: 7f1820c37c2f87d32d3dd1df49cab02d0c700c09fb2329525f4a86b14b8c1636
Opcode Fuzzy Hash: 09d36daf7cd255aae348079d96749f208e3feb177ef401ff25d5b0d7f846de72
Instruction Fuzzy Hash: 11312931B003049BEB08DBBCEC8DBADB766EB95314F248218E01C9B2D5D7B589808776

Function 00D0A54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 355e5de08e25e270c26245a5abffaeb3d4640bf83ae1fef3263630d13e46c606
Instruction ID: 34e2c03ee4438aa3cb962c6e322d77cacdf93aed39a874496e4c079590358727
Opcode Fuzzy Hash: 355e5de08e25e270c26245a5abffaeb3d4640bf83ae1fef3263630d13e46c606
Instruction Fuzzy Hash: 3D3116317017049BEB08DB7CEC9EBADB766EB85314F688218E4589B2D1DB7589808732

Function 00D0A682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 28c5a9ed5d8c9e581244cef3a805fa8a21576c2e3d6f4a80f37f8de84bff8bb7
Instruction ID: 119eb901a6347c06047108edf9277609d0e30bff2a2829f77d89117009a68c50
Opcode Fuzzy Hash: 28c5a9ed5d8c9e581244cef3a805fa8a21576c2e3d6f4a80f37f8de84bff8bb7
Instruction Fuzzy Hash: 9E3116717013049BEB08DB7CEC89BADB7B6DBC5310F288218E018972D1D77589808772

Function 00D09ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 9489839cdf800f694e027015b382f630a1865523a244c864f2b2380f1b3f69de
Instruction ID: b59aff939fd980a6f5ce5d5033498ef9d4c0202ae2493a49747828c08a5ded36
Opcode Fuzzy Hash: 9489839cdf800f694e027015b382f630a1865523a244c864f2b2380f1b3f69de
Instruction Fuzzy Hash: 662137317053049BEB189B6CFCDA7ACF766EBD5320F244219E408D72D5DB7599808B31

Function 00D0A856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: bb0480e330ab03c6a4364b834fc14c7a7d1b68d5984d011bb5f30883ac59e43f
Instruction ID: 88529106f1f4723d621cae877cc20bc64b20203a0de9adb8c3fbe1c5bb454006
Opcode Fuzzy Hash: bb0480e330ab03c6a4364b834fc14c7a7d1b68d5984d011bb5f30883ac59e43f
Instruction Fuzzy Hash: 1A213A31745305DBEB28E76CAC9B7ADB652DF91300F288816E44CD62D1CBB6998482B3

Function 00D0A34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064), ref: 00D0A963
CreateMutexA.KERNEL32(00000000,00000000,00D63254), ref: 00D0A981

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: db725dcf9f0ff08c4da5bbec15a849b9ed93759f0e4be85cd7e0290d560dc5ff
Instruction ID: 28e29c0a1918bbf6275413a050ee7738e047b79d7adf48775fcd95f479acaa96
Opcode Fuzzy Hash: db725dcf9f0ff08c4da5bbec15a849b9ed93759f0e4be85cd7e0290d560dc5ff
Instruction Fuzzy Hash: F42149327053049BEB18DB6CFC9A7ACB766DBD5310F244219E408D77D1CB7699808772

Function 00D07D30 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00D07ED3

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 42cd29116053ff99bab6145898a4b72f9dae4de7a84ed8d6dfccfa4f65ecab65
Instruction ID: c2c0de02146d383ad2b243cd523ca493e04dc60efc160557d8e7996e73d56ec0
Opcode Fuzzy Hash: 42cd29116053ff99bab6145898a4b72f9dae4de7a84ed8d6dfccfa4f65ecab65
Instruction Fuzzy Hash: 69E1FB70E006449BDB14BB68DC4B3AE7B71EB81710F544298E859A73C2DF755E848BF2

Function 00D3D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D3A813,00000001,00000364,00000006,000000FF,?,00D3EE3F,?,00000004,00000000,?,?), ref: 00D3D871

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1459c33693bcbdea231f62519b2a8b784288189a007c870dc7ef2070d05f3d44
Instruction ID: ac975a989356f7f72944e2430703f1d89440fc6704708af80dcb12438189d9ea
Opcode Fuzzy Hash: 1459c33693bcbdea231f62519b2a8b784288189a007c870dc7ef2070d05f3d44
Instruction Fuzzy Hash: FFF0823260562566EB216A76BC01A5B775BDF85770F1D8521FD08A7181DA60FC01DEF0

Function 00D087B2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00D0DA1D,?,?,?,?), ref: 00D087B9

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d84f25272373ec3753628a29d9d69b6b44b0caf88d608e0fe1d5ded9b99a405
Instruction ID: f2f19964e125d08589bbb033984f128b9838ade3f9e4c4dad19c87a6c408c197
Opcode Fuzzy Hash: 1d84f25272373ec3753628a29d9d69b6b44b0caf88d608e0fe1d5ded9b99a405
Instruction Fuzzy Hash: DAC08C2801260025EE1C053C01DAAA8338989C77B43F81B88E0F88B1F5DA355807F230

Function 00D087B0 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,00D0DA1D,?,?,?,?), ref: 00D087B9

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9a8de48e7c7cece2bf1301ee99f329348ea99fe42ed01adc6c7b68bdd3ce8b14
Instruction ID: 9c8d92e3a02238940e36462b247fd933475449ff5d44e707638315e33d4399c0
Opcode Fuzzy Hash: 9a8de48e7c7cece2bf1301ee99f329348ea99fe42ed01adc6c7b68bdd3ce8b14
Instruction Fuzzy Hash: 33C08C3801220066EA1C4A3C519AA6832499A837393F80B9CE0B98B1F5DB32C803E6B0

Function 00D0B1A0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00D0B3C8

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 63734a48302abe18cf6a1585cb46b9f15947b392716e523c0385d68a6c9f6c9f
Instruction ID: 5b4329504b801c9ee243754c4b2310c821181167b8b504697f27e921f93f3bfc
Opcode Fuzzy Hash: 63734a48302abe18cf6a1585cb46b9f15947b392716e523c0385d68a6c9f6c9f
Instruction Fuzzy Hash: A0B11770A14268DFEB28CF18CD94BDEB7B5EF15304F5045D9E40967281D775AA88CFA0

Function 050A0BA3 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd93c0e4a3b62591d879de461943a55b8e53cb8bbe0d522a57e42509a7fbc44
Instruction ID: 0f35a08dcf821c2615c0cb266f8cc8838f753a45b738af80a211b27ec327b802
Opcode Fuzzy Hash: 8bd93c0e4a3b62591d879de461943a55b8e53cb8bbe0d522a57e42509a7fbc44
Instruction Fuzzy Hash: 9111AFA314910CAFD70297D0BB7E6FD7F65EB2B334730445AE0438B143D2A003899152

Function 050A0B8E Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b4ae96e495faf46635a526a239d54a018a9c33c16d9341846c8c82be12d854
Instruction ID: 423c1f53551ba42e95faffe54032b521cea9580b98ae012fb1e745f76fd6356e
Opcode Fuzzy Hash: f4b4ae96e495faf46635a526a239d54a018a9c33c16d9341846c8c82be12d854
Instruction Fuzzy Hash: 4E01D897189108BEE202D7D1AB3E6FE3F5BA7673B0B308511A44786643A1A546885162

Function 050A0BB7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5824905a9520f974c57f766a88a12158d26419287d8cedfc15f72733e5bf3b1b
Instruction ID: c32d0a34c0735d6051cb72cc4f99c5a197f0f788a49dbb3200e349f83c4095d8
Opcode Fuzzy Hash: 5824905a9520f974c57f766a88a12158d26419287d8cedfc15f72733e5bf3b1b
Instruction Fuzzy Hash: 1A0149AB18920CFED202A7E1BB396FE3F9BA767370B308511F047D7643D1A546C89162

Function 050A0BD5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472a5c9b4fe94f863b6178340fa49a0964f768bbc9c86ea5d61ac5335bbeede7
Instruction ID: 5c76e75b08e9e49c21aa1591cb19f73bfb5096f564e7f0047ad4443a7f5eccb3
Opcode Fuzzy Hash: 472a5c9b4fe94f863b6178340fa49a0964f768bbc9c86ea5d61ac5335bbeede7
Instruction Fuzzy Hash: C6F02BA704910CEBD713ABE0BA792FE3F926B373B0B248511A4479B743C17917C9A153

Function 050A0C1A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681ba95f1a666dce3bd325712e147c84be920c4f8cf7dd5df44a6bdded167a21
Instruction ID: a6b4475c2e8e0cd85a9231c4e0eb271b95b5cf087df8624241cb1fee0aa42550
Opcode Fuzzy Hash: 681ba95f1a666dce3bd325712e147c84be920c4f8cf7dd5df44a6bdded167a21
Instruction Fuzzy Hash: 39F02BA7148108EBD712BBE1A9BD2FE3BD36B363B0F208425B043C7647D63596C5A152

Function 050A0BFD Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4848e3adf506611f27425aab83ecc5353d5192b6b0d6c43ee3888c6f193e04
Instruction ID: b95496b2c094b37278189a29c729dd7bcff77d8f6c722280b6e1bce9fd04bbd0
Opcode Fuzzy Hash: 4f4848e3adf506611f27425aab83ecc5353d5192b6b0d6c43ee3888c6f193e04
Instruction Fuzzy Hash: 2AF02BA7144208EBD712BBE199792FE7B936B263B0B1080247047C7643D23552C8A152

Function 050A0BED Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a025317ec25850d6e20a4e5200047c5402f09a8ef21704919c768b4dd992b0
Instruction ID: 5b6d9f0b07fb6478880f7efdce143aef63b05cd311195d558ab0f442c18df090
Opcode Fuzzy Hash: 89a025317ec25850d6e20a4e5200047c5402f09a8ef21704919c768b4dd992b0
Instruction Fuzzy Hash: 3EF0E06714920CF7D7026BD0B53A1FD3F565B273B17208521A447C7543816515C49152

Function 050A0C34 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c670a514c78f3b588698f97dad819ed98a12fefc8c5b8fc27dc6d054c790834
Instruction ID: 5aac7e7933d100b7abca0060f8093c4b95d1d19561bfc9b00600ea5fdb8f2431
Opcode Fuzzy Hash: 3c670a514c78f3b588698f97dad819ed98a12fefc8c5b8fc27dc6d054c790834
Instruction Fuzzy Hash: 85E080D7145208E7D20377E1A97E3FE3F455B373B1B2045217087D3743955512C86153

Function 050A0C50 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1709047275.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50a0000_5uVReRlvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06596efc7ada3beea816c63d49863d1e22a6ae772ad53f3e0c4724330b478f5
Instruction ID: 271f8b3b903ce94a60d914aef3e0b853554bb3249d45f9219cd18d88a293f117
Opcode Fuzzy Hash: c06596efc7ada3beea816c63d49863d1e22a6ae772ad53f3e0c4724330b478f5
Instruction Fuzzy Hash: 3FE027D754C10859F50397E1B5375FF67C6A77773036055356087D3747D0AD01C51015

Non-executed Functions

Function 00D431A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D43323

Strings

1#SNAN, xrefs: 00D444BA
1#INF, xrefs: 00D444DE
1#QNAN, xrefs: 00D444C1
1#IND, xrefs: 00D444B3

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6f69dc666234d793f05ea00daca39f9a023b6297232f4a33ba431e7315b73f54
Instruction ID: 7586dfb96b2a3a5692f17b16a6b2c4346529871bcf42aa378d51991e70f8ab6d
Opcode Fuzzy Hash: 6f69dc666234d793f05ea00daca39f9a023b6297232f4a33ba431e7315b73f54
Instruction Fuzzy Hash: A5C23A71E046288FDF25CE28DD807EAB7B5EB48315F1841EAD84DE7240E775AE858F60

Function 00D0E0C0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 00D0E10B
recv.WS2_32(?,?,00000008,00000000), ref: 00D0E140

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 97eb7375d76f71fa117ef3c0985b39171084153c64c0ea682957e71a11922ee6
Instruction ID: 333b4d845672c9abaf8d3b22f5892a0cc63796176b0dc608d0564e39bf65d810
Opcode Fuzzy Hash: 97eb7375d76f71fa117ef3c0985b39171084153c64c0ea682957e71a11922ee6
Instruction Fuzzy Hash: 4031D871A44348AFD720CB69DC85BEB7BBCEB08724F040625E515E73D1DA74E8458BB1

Function 00D42D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction ID: 0343c358ef2ca755a894f771945632938d1f4582c8d8dadcdea8b425706e463f
Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
Instruction Fuzzy Hash: F4F12E71E012199FDF14CFADC8806ADB7B1FF48314F298269E919AB344D731AE45CBA0

Function 00D1CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00D1CF52,?,00000003,00000003,?,00D1CF87,?,?,?,00000003,00000003,?,00D1C4FD,00D02FB9,00000001), ref: 00D1CC03

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 681df3408b7208e8719ebdfef2022d39dcb6181e15b60053e0f27a8b65588648
Instruction ID: f077117c1e3525d9bd89c14a662b1ac2d1c8e9c41aa4e96b4850b1c75f9c3997
Opcode Fuzzy Hash: 681df3408b7208e8719ebdfef2022d39dcb6181e15b60053e0f27a8b65588648
Instruction Fuzzy Hash: 47D0223A682638B38A012BC4FC088EDBF699E00B20B041111ED08A3220CE90AC904BF5

Function 00D37F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00D380B2

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 67e1c0be7dc019e8dac7fb539212f9b59530c0718ceb8bbf851563ca5aa76219
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 80515BB1608F446ADB3C4A2888957BE679ABF12300F1C0519F482D7291CE52DD4DB371

Function 00D04DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b152f71cf3250ff9f55e71da73fbc120c0bcec509396e75088348945e50f0abc
Instruction ID: 280393a1a9286b8b56ffb834351bce96a1c4c3e15f0a3252b2193d1f4b40b3f8
Opcode Fuzzy Hash: b152f71cf3250ff9f55e71da73fbc120c0bcec509396e75088348945e50f0abc
Instruction Fuzzy Hash: 00225EB3F515144BDB0CCA5DDCA27ECB2E3AFD8214B0E813DA40AE3345EA79D9159644

Function 00E17B6E Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e717d526a02c3b57c278c11e3989ba51da537bdb57d9df11ed6792f353cb8e
Instruction ID: 76e6f2cb819f6c24c6b98c46c63fd1865164d1917ae9806f6e1cebc2457f5ea7
Opcode Fuzzy Hash: f2e717d526a02c3b57c278c11e3989ba51da537bdb57d9df11ed6792f353cb8e
Instruction Fuzzy Hash: 7DA1AFF3F1062547F3484939CCA83626692DBA5310F2F82798F4DAB7C6E87E5C4A4384

Function 00D47049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ff0dfde091a5f5998934629ae571f7d7f70fd699432d1115f5fef54825ffc3
Instruction ID: d03fa8f919107dc853b1a6cf4494ea57bc70cbf86e24c3649375ec4a352db1ac
Opcode Fuzzy Hash: 91ff0dfde091a5f5998934629ae571f7d7f70fd699432d1115f5fef54825ffc3
Instruction Fuzzy Hash: 04B14C31614605DFD729CF28C48AB657BE1FF45364F298658E8DACF2A1C335E982CB50

Function 00E18101 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47618caaa1667e130c088228bfa658430bc7c3a5d3466c9384adb114b9040463
Instruction ID: 57db22c3a84562d46331c7ead0d6ad33417dd37b68cbb4fe80ed6f9c8bc88a38
Opcode Fuzzy Hash: 47618caaa1667e130c088228bfa658430bc7c3a5d3466c9384adb114b9040463
Instruction Fuzzy Hash: EC913AF7F115254BF3944935CD5836266839BE0324F2F82788B9DAB7C6E97E8C0A5384

Function 00D04B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5395c702256918005983a506cfba30eb9a0600fc87150aba3f4da050e32caa
Instruction ID: 33d84a15d9a8299cb10e0edd850ad369ba35368bef21edd810b5e4b17e5bd882
Opcode Fuzzy Hash: 5e5395c702256918005983a506cfba30eb9a0600fc87150aba3f4da050e32caa
Instruction Fuzzy Hash: 2C81E0B0A002458FEB15CF69D890BFEBBF1FB19300F1902A9D958A7392C7759945CBB0

Function 00D478BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f29f04dbf0a0f8571c3945d76f74d7a7eff5786554ef52bf35872423fad135
Instruction ID: fc5683562d869743d3690a7668b785769acbfbff9be5b4eae7e3c505f87236e2
Opcode Fuzzy Hash: 92f29f04dbf0a0f8571c3945d76f74d7a7eff5786554ef52bf35872423fad135
Instruction Fuzzy Hash: C021B673F20539477B0CC47E8C5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 00D4779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0e14eda54dc5c6fab706ab031f2c283264d5a08928b8f8c7c3258e58591b79
Instruction ID: c8742176a453e2a620f3fc2e50a1f91f3f1604aff041c9f72d1ceef81988f49b
Opcode Fuzzy Hash: ef0e14eda54dc5c6fab706ab031f2c283264d5a08928b8f8c7c3258e58591b79
Instruction Fuzzy Hash: FD11CA33F30C255B675C816D8C1727AA5D2DBD824070F433AD826E7384E994DE13D2A0

Function 00D48860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: fb12797da79c430a679423992cbee1fbed919f52fa49ec8c543a2507b0b9a82a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 78113D7760018243E6048A3DF8F45BFE795EBC53A17AC437AD1814B758DE22D945BA70

Function 00D3A302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: e822f8a4412ea6087d01f44483d99eb54177bded94a2b53d1146afec0951df19
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 98E08C72A21228EBCB14DBDCC90499AF3ECEB49B50F650096F501D3150C270DE00C7E0

Function 00D3CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D3CC66

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
Instruction ID: 15a764062197cbee0aec5f003c9a65fba04ed30f48d31010ded4bb8a1c2ac991
Opcode Fuzzy Hash: 50646cb43b7217affa873159b33a8ceb5ad87b323bf0650c56aca3f8e12e7eb4
Instruction Fuzzy Hash: 25B13632D246859FDB25CF28C881BBEBBE5EF45340F18916AE855FB242D6349D41CB70

Function 00D02EC0 Relevance: 6.3, APIs: 4, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00D02F5F
__Mtx_unlock.LIBCPMT ref: 00D02FCC
__Mtx_unlock.LIBCPMT ref: 00D030F5
__Mtx_unlock.LIBCPMT ref: 00D0319B

Memory Dump Source

Source File: 00000000.00000002.1705471866.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D00000, based on PE: true

Associated: 00000000.00000002.1705457655.0000000000D00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705471866.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705846196.0000000000D69000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705866926.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705891380.0000000000D77000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705971516.0000000000EDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1705984583.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000EF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706000240.0000000000F05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706026192.0000000000F0D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706325866.0000000000F0F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706763549.0000000000F3D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706837407.0000000000F42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706923925.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707014666.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707031490.0000000000F5C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707044460.0000000000F60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707057236.0000000000F68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707070316.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707081502.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707093485.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707105110.0000000000F75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707116761.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707129352.0000000000F7E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707141163.0000000000F80000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707153417.0000000000F82000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707167893.0000000000F86000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707182899.0000000000F8F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707200616.0000000000F96000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707213752.0000000000F97000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707236890.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707281155.0000000000F9E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707320110.0000000000F9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707398752.0000000000FAF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707438898.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707456116.0000000000FB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707477123.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707582924.000000000100B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707629653.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707646986.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707716467.0000000001010000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707744466.0000000001012000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707760306.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1707776516.0000000001022000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d00000_5uVReRlvME.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 9d51bf5fd4c0f6219d0cc63730003b3f7de3357246d15e097d0546060fc1741c
Instruction ID: 98fc44761e12f7c32f41fb70c89f3635450e1f0371e71fe8d8734fb246079482
Opcode Fuzzy Hash: 9d51bf5fd4c0f6219d0cc63730003b3f7de3357246d15e097d0546060fc1741c
Instruction Fuzzy Hash: 2EA1E270A01315EFDB20DFA5D9457AAB7A8FF19354F088129E819D7281EB31EA44CBB1

Analysis Process: skotes.exePID: 3716, Parent PID: 5960COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	575
Total number of Limit Nodes:	4

Executed Functions

Function 00A2652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00A2652A,?,?,?,?,?,00A27661), ref: 00A26567

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 10fa5b05f7532545c49d0e9466ce786e740392ac132155c962522283c0b253c8
Instruction ID: 842a3a9d8822c78191dd4632093487d258853d48bae740394bf30be28986c93b
Opcode Fuzzy Hash: 10fa5b05f7532545c49d0e9466ce786e740392ac132155c962522283c0b253c8
Instruction Fuzzy Hash: EDE08C31042118AFCF25BB1CE959E583B69EB92745F014824F8284A622CB26EE81CA80

Function 009F9BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: a20922e4ef3dd15216c53dd1175ae57a609c666e0d7ff659038eef0f71c7332e
Instruction ID: df1bb0128c3499baa0a0cafd04890e8272a315c05b246bd72acfa31d1b41e13c
Opcode Fuzzy Hash: a20922e4ef3dd15216c53dd1175ae57a609c666e0d7ff659038eef0f71c7332e
Instruction Fuzzy Hash: 15316D72A012098BEB08DBB8ED897BDB7B6EFD2310F304228E5189B3D5C77559808751

Function 009F9F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ab8eae52402bdbb88712db0164d150000f0d06aa895f58c76a9fe1bf25102183
Instruction ID: 148709cdea9ebca327af7498690c141afb01b7d45363638eff7ebf42f68535fb
Opcode Fuzzy Hash: ab8eae52402bdbb88712db0164d150000f0d06aa895f58c76a9fe1bf25102183
Instruction Fuzzy Hash: 5B317B726102088BEB08DB78DD857BCB7A6EBC6310F244629E518DB3D5C77659808712

Function 009FA079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: e5bc13ca72bfd34b4f461f0971aeb232327b6cf9dea4801bd689bad071cba251
Instruction ID: 0d6d293b1a6227514ad7205b044fdf20372330f0c6d5944c4526144d8d3a0486
Opcode Fuzzy Hash: e5bc13ca72bfd34b4f461f0971aeb232327b6cf9dea4801bd689bad071cba251
Instruction Fuzzy Hash: 48317BB2B142089BEB08DBB8DD857BDB776EFD2314F244228E518D73D5C77659808712

Function 009FA1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 64b8dc2e9059154234c498b69acd6a60a28d619a6635f6115400476cb9647309
Instruction ID: 38608c445b740614c3f9195aa0b2899ff5a173a2e478d61bf6d5a4fbe9dfba0f
Opcode Fuzzy Hash: 64b8dc2e9059154234c498b69acd6a60a28d619a6635f6115400476cb9647309
Instruction Fuzzy Hash: F3316AB2B042099BFB08DBB8DDC97BDB776ABC6320F204228E518973D5C77659C08712

Function 009FA418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 7e452f8830d8854d8abf390e87f75c23169f404e86e2a507ed77e3de17224305
Instruction ID: be835ede621fbc789c83caf5eb0d5c29d2259502f96f4f7cf793ab01ef52dcf9
Opcode Fuzzy Hash: 7e452f8830d8854d8abf390e87f75c23169f404e86e2a507ed77e3de17224305
Instruction Fuzzy Hash: 31314C72A112089BEB08EBB8DD8977DB765EFC1314F204228E5189B3E5C7B559C08752

Function 009FA54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 6371c8a9b56bbc60deef7488ce0428e2d9d36b27bdc96e92408d65b58a915bd6
Instruction ID: 43317ef2e9e0d9a986c22bc1ffb09699fbfa87aefc4f745a821e6f0c2dbfbb1e
Opcode Fuzzy Hash: 6371c8a9b56bbc60deef7488ce0428e2d9d36b27bdc96e92408d65b58a915bd6
Instruction Fuzzy Hash: 2D315D716011088BEB08DBB8DDD977DB765EFC5324F348628E518DB3D5C77599808712

Function 009FA682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 3e20dd5b8f945f177f3895ff06aa82c98878afda0144020d306c1b2459f72e3e
Instruction ID: b885a7935127be6a5ba66b5f32dc334f71e3220125ca5483d192876608dd9dea
Opcode Fuzzy Hash: 3e20dd5b8f945f177f3895ff06aa82c98878afda0144020d306c1b2459f72e3e
Instruction Fuzzy Hash: 9C316FB1A002089BEB08EB78DD85B7DB776EFC5324F348628E518D73D5C77559808752

Function 009F9ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 26fecc7ebf444bb02820c328cb09ef6c476523a9f03afecf2639f69e602889fd
Instruction ID: d1727aef06594ba9f70164b0eae4af799b195509595f019e386579caddf3ed38
Opcode Fuzzy Hash: 26fecc7ebf444bb02820c328cb09ef6c476523a9f03afecf2639f69e602889fd
Instruction Fuzzy Hash: 662149726142089BEB18DF6CECC5B7CB765EBD1311F204229E508DB6E5CBB699818711

Function 009FA856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 511024848d8d7cec45df45b84724609818d8b95dc775061e11f562af231d0e62
Instruction ID: 68ffd90b70cec67fb7f6c5f1b8c663b6063f21024ee4e02f7dc6ee7381c79318
Opcode Fuzzy Hash: 511024848d8d7cec45df45b84724609818d8b95dc775061e11f562af231d0e62
Instruction Fuzzy Hash: 54213DB16452099AFB24A7E8989677DB355AFC1710F340826E70CD72D1CAFA59818363

Function 009FA34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: ee7383d3b1537ddecf3858f5192232cec3715b256a56163126eff12bd87e1f3d
Instruction ID: ccc5f2b75b19d8b72e9c7e2fdde76dc527666eea390d4458e916f26cc23b49df
Opcode Fuzzy Hash: ee7383d3b1537ddecf3858f5192232cec3715b256a56163126eff12bd87e1f3d
Instruction Fuzzy Hash: B72179726152089BEB08DB68EC8577CB766EBD1321F204229E90CDB7D4C7B669C08712

Non-executed Functions

Function 00A2CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A2CC66

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction ID: 4dbb11203779e78e1291dbe5c3549971ef22702a5c9a6b95e97ad58a59af87ec
Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction Fuzzy Hash: 4AB146329042A59FDB15CF2CD8817BEBBF5EF45360F25417AE855EB242D6389E01CBA0

Function 009F2EC0 Relevance: 6.3, APIs: 4, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 009F2F5F
__Mtx_unlock.LIBCPMT ref: 009F2FCC
__Mtx_unlock.LIBCPMT ref: 009F30F5
__Mtx_unlock.LIBCPMT ref: 009F319B

Memory Dump Source

Source File: 00000001.00000002.1736012924.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000001.00000002.1735990368.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736012924.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736071269.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736088156.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736106774.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736213863.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736231453.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736252687.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736285725.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736301025.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736326538.0000000000C22000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736342279.0000000000C23000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736358898.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736374731.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736390317.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736406329.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736431369.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736447595.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736463990.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736479905.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736494333.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736509586.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736522845.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736536627.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736550825.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736564496.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736578616.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736592758.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736607886.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736624135.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736637541.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736653371.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736668370.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736683342.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736704064.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736721244.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736738783.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736760738.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736812024.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736828570.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736843277.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736858124.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736873209.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736889568.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000001.00000002.1736914180.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 90e65a47a99cdc9accd5f4ec21791d16cca79828ba573c04f8e8564279c9eb3e
Instruction ID: c2b7d92f3da33490f291dd7b3daf0bc636c30023fecbc59884fb8136337082d4
Opcode Fuzzy Hash: 90e65a47a99cdc9accd5f4ec21791d16cca79828ba573c04f8e8564279c9eb3e
Instruction Fuzzy Hash: F9A1E471A05209DFDB20DF64D9447AAB7B8FF15320F04862AE915D7281EB39EA04CBD1

Analysis Process: skotes.exePID: 4080, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	575
Total number of Limit Nodes:	4

Executed Functions

Function 00A2652B Relevance: 1.5, APIs: 1, Instructions: 24
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00A2652A,?,?,?,?,?,00A27661), ref: 00A26567

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a8cd340045ae6e8261f3f347ea9f912a2a0702629edda45c52476f4cef2af62d
Instruction ID: 40e6f9924f2374866416d2eff23013991f2e0daf46e896a35fbdd630db4065a2
Opcode Fuzzy Hash: a8cd340045ae6e8261f3f347ea9f912a2a0702629edda45c52476f4cef2af62d
Instruction Fuzzy Hash: C5E0CD3114116C6FCF36BB1CD90DE5C3B59EF51741F008820F81856125CB75DD82C640

Function 009F9BA5 Relevance: 3.1, APIs: 2, Instructions: 140
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: a4e9b99a9e8be85c8b28f932c761319e665810abe7968a0cfb30c741de456d82
Instruction ID: 10e01576c1a05a703c48c8e07277a5189044feba4a609831a6fcc4bc365a45e5
Opcode Fuzzy Hash: a4e9b99a9e8be85c8b28f932c761319e665810abe7968a0cfb30c741de456d82
Instruction Fuzzy Hash: E5316F71B002089BEB08DB78DD897BDB7A6EFD1310F204218E118973D5C7B549808B51

Function 009F9F44 Relevance: 3.1, APIs: 2, Instructions: 137
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 48932fd6eb66bfad9ab5016523ec9abf2932ee484b55fb641faf2ab2a64a50c5
Instruction ID: 78ac336edffc4dc1e702c0fe9c97c4f45492b6584bee067713ecdde4ec425568
Opcode Fuzzy Hash: 48932fd6eb66bfad9ab5016523ec9abf2932ee484b55fb641faf2ab2a64a50c5
Instruction Fuzzy Hash: C0315B717102089BEB0CDB78DD887BDB7A6EBC5310F244619E118DB7D1C77649808752

Function 009FA079 Relevance: 3.1, APIs: 2, Instructions: 136
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 323c1c02b8fb542003919dbbd97b49d57442715fef4b1e21a73f7731b5902732
Instruction ID: e629e4f4fc31641d340b354205af52d21cff6cc98f6caae3b6637be50d663309
Opcode Fuzzy Hash: 323c1c02b8fb542003919dbbd97b49d57442715fef4b1e21a73f7731b5902732
Instruction Fuzzy Hash: 6D314AB1B142089BEB08DBB8DD897BDB776EBD1310F248618E118977D1C77659808B52

Function 009FA1AE Relevance: 3.1, APIs: 2, Instructions: 135
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 5bbf96d85f0c0c441450a0b8ff8b4dcd01a532e23e962eeae6edf394b530979a
Instruction ID: d4151a5b0871106a437cbafd75c593118c61b21d55bd6744353928fcc3239b27
Opcode Fuzzy Hash: 5bbf96d85f0c0c441450a0b8ff8b4dcd01a532e23e962eeae6edf394b530979a
Instruction Fuzzy Hash: 31314AB1B142099BFB08DBB8DDCD7BDB766ABC5310F204628E118973D1C77659C08752

Function 009FA418 Relevance: 3.1, APIs: 2, Instructions: 133
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 630783d161231bbf877d9c9a8b40f39b65e8e935de296edfa6bac27266995c2d
Instruction ID: 733fd65abcf72fb846f71888b2a36a53641c6949fa8d355fa0f2e8d31ff8f3e8
Opcode Fuzzy Hash: 630783d161231bbf877d9c9a8b40f39b65e8e935de296edfa6bac27266995c2d
Instruction Fuzzy Hash: E5312A71B102089BEB08EBB8DD8D7BDB765EFC1310F204228E2189B7E5D7B549C08B52

Function 009FA54D Relevance: 3.1, APIs: 2, Instructions: 132
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 2b97a976e744f8cef580f02554c210049a794b9cd6917802a667013dce37bc32
Instruction ID: 70f212b1eecacdcc5196479801d79d55e8f483e02a684ba10f08813094cc445f
Opcode Fuzzy Hash: 2b97a976e744f8cef580f02554c210049a794b9cd6917802a667013dce37bc32
Instruction Fuzzy Hash: E9315BB1B001089BEB08DBB8DDC97BDB766EFC5314F248628E518DB7D5C77989808B12

Function 009FA682 Relevance: 3.1, APIs: 2, Instructions: 131
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 8f0929d1bbacbe8740a8ddf0558ad8c8ecc5bfe649a2e324dba9d0d089afa880
Instruction ID: 277761634d9a9de65cb40b4c06231db90f668b5939c6a63c62015d92c3b807ad
Opcode Fuzzy Hash: 8f0929d1bbacbe8740a8ddf0558ad8c8ecc5bfe649a2e324dba9d0d089afa880
Instruction Fuzzy Hash: 97314DB1B102089BEB08EB78DD89BBDB776EFC5310F248628E518DB7D1C77589808752

Function 009F9ADC Relevance: 3.1, APIs: 2, Instructions: 107
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 58ee09dc9ea2ff2513d38e77e5380024ade97e12caf07da34afbfa63d751f5d7
Instruction ID: a30784faf2814dfc16fd90466cb119de622f8209ddd2fdefa420cd9711ac7a22
Opcode Fuzzy Hash: 58ee09dc9ea2ff2513d38e77e5380024ade97e12caf07da34afbfa63d751f5d7
Instruction Fuzzy Hash: 72217972B042089BEB189F6CEDC977DF365EBD1311F204328E618CB6D5CBB689808711

Function 009FA856 Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 6a63a61748eb565201f79f7e8c486fad49ba5bbae9f6ae3912dc94503b044b0c
Instruction ID: 051f26f8984b1618862aee2416d441b2d7ceb7b917c0bf0ea6fc1b302d967567
Opcode Fuzzy Hash: 6a63a61748eb565201f79f7e8c486fad49ba5bbae9f6ae3912dc94503b044b0c
Instruction Fuzzy Hash: EE216DB17452099AFB2867E8989A77DB355AFC1700F200916E70CD72D1CAFA498183A3

Function 009FA34F Relevance: 3.1, APIs: 2, Instructions: 100
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000064), ref: 009FA963
CreateMutexA.KERNELBASE(00000000,00000000,00A53254), ref: 009FA981

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: CreateMutexSleep
String ID:
API String ID: 1464230837-0
Opcode ID: 462baf77d92883f2bb98e11ffc0677e1deaf1bd9559bcfcff9823a8f45458a76
Instruction ID: 4ce0507bc8be21a654207c94cda60d1b2d9513f4937e592019466344037d20a1
Opcode Fuzzy Hash: 462baf77d92883f2bb98e11ffc0677e1deaf1bd9559bcfcff9823a8f45458a76
Instruction Fuzzy Hash: 372179727142089BEB089B68ED897BDF766EBD1311F204229E618DB7D0CBB659C08752

Non-executed Functions

Function 00A2CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A2CC66

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction ID: 4dbb11203779e78e1291dbe5c3549971ef22702a5c9a6b95e97ad58a59af87ec
Opcode Fuzzy Hash: b6ef493d185ecd6e05961dbd11159ec72a600f70796096a8f2b5786dd78cba64
Instruction Fuzzy Hash: 4AB146329042A59FDB15CF2CD8817BEBBF5EF45360F25417AE855EB242D6389E01CBA0

Function 009F2EC0 Relevance: 6.3, APIs: 4, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 009F2F5F
__Mtx_unlock.LIBCPMT ref: 009F2FCC
__Mtx_unlock.LIBCPMT ref: 009F30F5
__Mtx_unlock.LIBCPMT ref: 009F319B

Memory Dump Source

Source File: 00000002.00000002.1736943354.00000000009F1000.00000040.00000001.01000000.00000008.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000002.00000002.1736917369.00000000009F0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1736943354.0000000000A52000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737037668.0000000000A59000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737062578.0000000000A5B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737142778.0000000000A67000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737284490.0000000000BCD000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737307664.0000000000BCF000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BE9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737338731.0000000000BF5000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737383552.0000000000BFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737402864.0000000000BFF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737442605.0000000000C2D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737466537.0000000000C32000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737490441.0000000000C33000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737514951.0000000000C38000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737540340.0000000000C4C000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737563149.0000000000C50000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737588608.0000000000C58000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737612406.0000000000C5C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737634622.0000000000C5D000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737658242.0000000000C64000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737682890.0000000000C65000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737711594.0000000000C67000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737727715.0000000000C6E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737750295.0000000000C70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737776976.0000000000C72000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737800659.0000000000C76000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737820452.0000000000C7F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737842304.0000000000C86000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737863603.0000000000C87000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737891071.0000000000C8D000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737912975.0000000000C8E000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737935813.0000000000C8F000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737965377.0000000000C9F000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1737986808.0000000000CA1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738009682.0000000000CA2000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CA4000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738033416.0000000000CCF000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738093826.0000000000CFB000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738112435.0000000000CFC000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738135782.0000000000CFD000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738156235.0000000000D00000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738177981.0000000000D02000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738204060.0000000000D11000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1738228917.0000000000D12000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 90e65a47a99cdc9accd5f4ec21791d16cca79828ba573c04f8e8564279c9eb3e
Instruction ID: c2b7d92f3da33490f291dd7b3daf0bc636c30023fecbc59884fb8136337082d4
Opcode Fuzzy Hash: 90e65a47a99cdc9accd5f4ec21791d16cca79828ba573c04f8e8564279c9eb3e
Instruction Fuzzy Hash: F9A1E471A05209DFDB20DF64D9447AAB7B8FF15320F04862AE915D7281EB39EA04CBD1

Analysis Process: a762d7e2e8.exePID: 7976, Parent PID: 7780COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	0.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 007C619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,007C6110,007C6100), ref: 007C6334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 007C6347
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 007C6365
ReadProcessMemory.KERNELBASE(00000094,?,007C6154,00000004,00000000), ref: 007C6389
VirtualAllocEx.KERNELBASE(00000094,?,?,00003000,00000040), ref: 007C63B4
WriteProcessMemory.KERNELBASE(00000094,00000000,?,?,00000000,?), ref: 007C640C
WriteProcessMemory.KERNELBASE(00000094,00400000,?,?,00000000,?,00000028), ref: 007C6457
WriteProcessMemory.KERNELBASE(00000094,?,?,00000004,00000000), ref: 007C6495
Wow64SetThreadContext.KERNEL32(00000098,00BE0000), ref: 007C64D1
ResumeThread.KERNELBASE(00000098), ref: 007C64E0

Strings

ResumeThread, xrefs: 007C62D8
VirtualAllocEx, xrefs: 007C629C
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 007C6333
GetP, xrefs: 007C621E
Load, xrefs: 007C61DA
VirtualAlloc, xrefs: 007C6263
GetThreadContext, xrefs: 007C6276
CreateProcessW, xrefs: 007C6250
ReadProcessMemory, xrefs: 007C6289
ress, xrefs: 007C6226
WriteProcessMemory, xrefs: 007C62AF
aryA, xrefs: 007C61E2
SetThreadContext, xrefs: 007C62C2
TerminateProcess, xrefs: 007C63C3

Memory Dump Source

Source File: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: c79b5769db431e68acbab0980e199bb04b2753900026d8b94b6a72354d0aa9de
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: BDB1F97664068AAFDB60CF58CC80FDA73A5FF88714F158128EA08AB341D774FA51CB94

Function 007ABD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9ABFD95C,?,007ABE51,?,?,00000000), ref: 007ABE03

Strings

api-ms-, xrefs: 007ABD99
ext-ms-, xrefs: 007ABDAD

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 51f1a24244dd568375257e226cb891debea3b0d78a072d0b5ad3ca135e8ccbc8
Instruction ID: 2422e4af0f67faf74330513f6b52f0e9cd067e35e6acba2e290dc1c58acce50e
Opcode Fuzzy Hash: 51f1a24244dd568375257e226cb891debea3b0d78a072d0b5ad3ca135e8ccbc8
Instruction Fuzzy Hash: 0E212772B01214A7C7219B65DC55F9A37689F83360F244328FD06A7292DB3CFD01C6D0

Function 00791860 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 007918E3
GetFileSize.KERNEL32 ref: 00791912
CloseHandle.KERNEL32 ref: 0079192E

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 6280f18c0d3c9ce4c651531a3cf1bfbda433c4acf782e58d9db0a3040602858a
Instruction ID: 5a02992db2963c2fe47fe4a4a0559d34b85c8cdc9babefb79be8f53d76fea29b
Opcode Fuzzy Hash: 6280f18c0d3c9ce4c651531a3cf1bfbda433c4acf782e58d9db0a3040602858a
Instruction Fuzzy Hash: 3971A0B4D04249CFCB00EFA8E598B9DBBF0BF48314F508529E499AB350D738A959CF52

Function 007A4B24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,Ixz,007A4BE6,Ixz,007A7849,?,00000002,9ABFD95C,007A7849,00000002), ref: 007A4B35
TerminateProcess.KERNEL32(00000000), ref: 007A4B3C
ExitProcess.KERNEL32 ref: 007A4B4E

Strings

Ixz, xrefs: 007A4B26

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: Ixz
API String ID: 1703294689-3611034753
Opcode ID: cd78040d7e0daf59ca1f1685fad6179185acc45f592d6886d7b199bed235f93b
Instruction ID: f860b6aa6520e753fdc23088139e7536be3ea23aa14db0c312dbe4c1da1b5f8e
Opcode Fuzzy Hash: cd78040d7e0daf59ca1f1685fad6179185acc45f592d6886d7b199bed235f93b
Instruction Fuzzy Hash: D0D06CB2044108AFCB112FA1EC1DE5D3F2AABC1382B44C518B9094A461DFBAD952DAA8

Function 0079A4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcspn.LIBCMT ref: 0079A631
_strcspn.LIBCMT ref: 0079A65F

Strings

@, xrefs: 0079A92F

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: aae0f2d0c1b2170bfecc231a925016be2bebe6aae04242ddd3bef22ca951f8b3
Instruction ID: c2f518970607501a952309ae6ba1285836f63d35517728abd3a3f3e8b5dc2866
Opcode Fuzzy Hash: aae0f2d0c1b2170bfecc231a925016be2bebe6aae04242ddd3bef22ca951f8b3
Instruction Fuzzy Hash: 2832F3B4905269CFCB24DF64D981A9DFBF1BF49300F0585AAE849A7301D734AE85CF92

Function 00791700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 0079176B
VirtualProtect.KERNELBASE ref: 0079181B

Strings

@, xrefs: 0079180F

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual
String ID: @
API String ID: 621788221-2766056989
Opcode ID: 717b27244cbe473adf6c1187f6dc345455d5d19bf3867df0cc17c719f60ed7d8
Instruction ID: 38b601316610102b18b38e9b552a1c40d821d5244a4d5f25699025fee6dc97ca
Opcode Fuzzy Hash: 717b27244cbe473adf6c1187f6dc345455d5d19bf3867df0cc17c719f60ed7d8
Instruction Fuzzy Hash: 9F41C1B0D00209DFCB04EFA9E884A9EBBF0EF48314F51841DE858AB351D7799944CF95

Function 007A481D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00014935,00000000,?,?), ref: 007A4866
GetLastError.KERNEL32(?,00000000,00000000,?,0079B58D), ref: 007A4872
__dosmaperr.LIBCMT ref: 007A4879

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 90f785133f4de3f22fc42c725b0f24ded7f60e1a431318e0aa6daf3e121dd1b8
Instruction ID: c5531242c7c60753c782adbce520d3c30e8eda3f5a0144b41451de72bb0c8364
Opcode Fuzzy Hash: 90f785133f4de3f22fc42c725b0f24ded7f60e1a431318e0aa6daf3e121dd1b8
Instruction Fuzzy Hash: 59019272501255FBDF199FA0EC09AAE3B64FFC2360F104258F80196150DBBED950DB90

Function 007A49B3 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007AB104: GetLastError.KERNEL32(00000000,?,007A6BB6,007AC132,?,?,007AB000,00000001,00000364,?,00000005,000000FF,?,007A495A,007C56B0,0000000C), ref: 007AB108
Part of subcall function 007AB104: SetLastError.KERNEL32(00000000), ref: 007AB1AA

CloseHandle.KERNEL32(?,?,?,007A48AD,?,?,007A4993,00000000), ref: 007A49E4
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,007A48AD,?,?,007A4993,00000000), ref: 007A49FA
ExitThread.KERNEL32 ref: 007A4A03

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 644d9e3df6dca1b9a33ae579da1ec2ca3385ddf9897bcd8c78e394a98f20d3b7
Instruction ID: f105e3a273d6bf3214a0a508119351cde0e4e78982228baa2211090df34bda70
Opcode Fuzzy Hash: 644d9e3df6dca1b9a33ae579da1ec2ca3385ddf9897bcd8c78e394a98f20d3b7
Instruction Fuzzy Hash: 75F05E30248640ABCB215B75E84DA5B3BA86FC2360B19C714F82BD65A1DBAEEC51C658

Function 0079B510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0079B5BB

Strings

M*y, xrefs: 0079B5C8

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID: M*y
API String ID: 2134207285-3249652273
Opcode ID: 3a6fe1206882890ad426d0fa97cd97fbc435b7e3f71867dced6806e2748b7aa8
Instruction ID: 4fbb41f4ec4be34e9a1b60d2b9847fa9086e8c4ad76c88814fbcb45b640dda8f
Opcode Fuzzy Hash: 3a6fe1206882890ad426d0fa97cd97fbc435b7e3f71867dced6806e2748b7aa8
Instruction Fuzzy Hash: F921D8B0904209DFDB04EFA8E5556AEBBF0BF44700F01846DE445AB350EB78AA45CF95

Function 007B2D15 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007B30BF: GetConsoleOutputCP.KERNEL32(9ABFD95C,00000000,00000000,?), ref: 007B3122

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,S'z,007A24F1,?,S'z), ref: 007B2E9A
GetLastError.KERNEL32(?,007A2753,?,?,?,?,?,?,?,?,?,?,?), ref: 007B2EA4

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 2246a17e69e1822df2c2bd7260aca0f6764a7bc1ea5e329ff9eb16adf33c0e78
Instruction ID: d020107fd4e02d0e99e4db5e9199322d718366e44731f799596a3cfdf762a9ef
Opcode Fuzzy Hash: 2246a17e69e1822df2c2bd7260aca0f6764a7bc1ea5e329ff9eb16adf33c0e78
Instruction Fuzzy Hash: 9E61A271905159AFDF11DFA8C889FEEBBB9BF19304F140149F800A7252D73ADA42CBA5

Function 007B34EE Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,007B2E80,?,007A2753,?,?,?,00000000), ref: 007B358A
GetLastError.KERNEL32(?,007B2E80,?,007A2753,?,?,?,00000000,?,?,?,?,S'z,007A24F1,?,S'z), ref: 007B35B0

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 37cfe6a46af417c6d948283cdaf181f0f238a92520cbb3565085deaadbe1cdbe
Instruction ID: a90af8bd75e5175ab06f7ac0e3a9ac12b490254359ccf84c12b60e8d8b5c60c2
Opcode Fuzzy Hash: 37cfe6a46af417c6d948283cdaf181f0f238a92520cbb3565085deaadbe1cdbe
Instruction Fuzzy Hash: EA216071A002199FCF29CF29DC90AEDB7B9EF49305F1440A9E946D7211E634EE86CB64

Function 007AC862 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,007AC751,007C5BA0), ref: 007AC8AE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,007AC751,007C5BA0), ref: 007AC8C0

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 103ded5003a76e0a5985c282783f66a01f82d00bcfc4355719d602cf528ab0a9
Instruction ID: f3993aac926b9d6d5b6c041ad7561765d25d6b42674dfb8dc4556ed569ea0214
Opcode Fuzzy Hash: 103ded5003a76e0a5985c282783f66a01f82d00bcfc4355719d602cf528ab0a9
Instruction Fuzzy Hash: FD110072204741AADB324E3E8C88A32BA94BBD7330B38071ED0B6C35F1C63CD886D605

Function 007A4935 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(007C56B0,0000000C), ref: 007A4948
ExitThread.KERNEL32 ref: 007A494F

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 171b9a9dc833ec7574e7adc32549ffc718ac936d08192c5f22348e6991d97465
Instruction ID: 32d91c419462b2865933963dc6895d344cd6b0e726498c5c3adc3b8d0983e587
Opcode Fuzzy Hash: 171b9a9dc833ec7574e7adc32549ffc718ac936d08192c5f22348e6991d97465
Instruction Fuzzy Hash: 95F08CB1940201EFDB14AF70D80AA6E3B74EF82711F11424DF40697252DBBDA951DFA1

Function 00791B70 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00791B98
GetModuleFileNameA.KERNEL32 ref: 00791BB8

Part of subcall function 00791860: CreateFileA.KERNELBASE ref: 007918E3

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: FileModule$CreateHandleName
String ID:
API String ID: 2828212432-0
Opcode ID: 93d662465ce973b7289fa8b46164a0da564afe4fb14931f3342ee2b2ac4a58fc
Instruction ID: 1fc38e795a06c3e19fe5bc4de05c393faf84fca6d0e9f3ee117289dee72cd7e0
Opcode Fuzzy Hash: 93d662465ce973b7289fa8b46164a0da564afe4fb14931f3342ee2b2ac4a58fc
Instruction Fuzzy Hash: 20F0BDB190420D8FCB54EF78E95969DBBF4AB14300F4185ADD4C9D7240EA7859988F86

Function 007AAD27 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,007AF0A4,?,00000000,?,?,007AED44,?,00000007,?,?,007AF68A,?,?), ref: 007AAD3D
GetLastError.KERNEL32(?,?,007AF0A4,?,00000000,?,?,007AED44,?,00000007,?,?,007AF68A,?,?), ref: 007AAD48

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 809c6c830e5fe377abebb31a9b5545d881ffcd65e4cd80f76f4476910364501a
Instruction ID: ccadd5b38b2e22dd8caf30077e9adb7a53281efaabeb568b1327df547fa3e7a7
Opcode Fuzzy Hash: 809c6c830e5fe377abebb31a9b5545d881ffcd65e4cd80f76f4476910364501a
Instruction Fuzzy Hash: DBE08632100204F7CF112BA5BC0DF593BA8EB85755F18C224F609CA475DB3C8850C799

Function 00791EA0 Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00791ECA

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c6561a475bba809dee823d8330b50e5e3f1e63603253368f8743c706a70d21c3
Instruction ID: 3c47751c045908495ac6f69176db47c1843468ec345382b68f85392dbf2a0ef9
Opcode Fuzzy Hash: c6561a475bba809dee823d8330b50e5e3f1e63603253368f8743c706a70d21c3
Instruction Fuzzy Hash: 35C11974608344DFCB04EF68E485B2ABBE0AF89358F11891DF896CB362D639D915CB42

Function 0079CE13 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b058f6aa112ee8a0d0887c4982feddf8dbcc32af20d9d5c1b34744a37e231e
Instruction ID: 80425e0f42df8823b4e180918bd34d71920b918d1199cefb170bf4b5476cd016
Opcode Fuzzy Hash: e1b058f6aa112ee8a0d0887c4982feddf8dbcc32af20d9d5c1b34744a37e231e
Instruction Fuzzy Hash: B6419C72A0011AAFCF15DF68E4908EDB7BAFF08310B544129E442E7A40EB39E945DB90

Function 007ABE0D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0facebed2977feb43cacdb0bb0483e7c74f7f73f8eea98e0da522577ff715d6
Instruction ID: 57e2d11fe9b3e16b4fd522f19c1bcc4726cb2eafafddb04c0eca8305cfd1ca21
Opcode Fuzzy Hash: f0facebed2977feb43cacdb0bb0483e7c74f7f73f8eea98e0da522577ff715d6
Instruction Fuzzy Hash: B001D8332186159FDB169F68EC91DAB33E6BBC2724B248328FA10CB155DB39DC108794

Function 007AAD61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,007ACD3A,?,?,007ACD3A,00000220,?,00000000,?), ref: 007AAD93

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f92cee6db3d5f4b845bc504a0bd88f8acc52c0b7af2a553f148b82922d71b0e4
Instruction ID: d2b6f837d0da875193675dfa5da53585b07f34fc774ef9468e3cc5c256545223
Opcode Fuzzy Hash: f92cee6db3d5f4b845bc504a0bd88f8acc52c0b7af2a553f148b82922d71b0e4
Instruction Fuzzy Hash: FBE06531300711B6D72226A59C05F5A77589BC77A2F294311BC859AEA8EB6CDC00C7E6

Non-executed Functions

Function 007A8D90 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

"t{, xrefs: 007A91F1, 007A8FE0
"t{, xrefs: 007A8DAE, 007A8F46, 007A9111, 007A9166

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID:
String ID: "t{$"t{
API String ID: 0-1138939747
Opcode ID: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction ID: a431664abc9590a20d8b93a2b58c58a880da0ea006f23d76a494e1a167324f87
Opcode Fuzzy Hash: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction Fuzzy Hash: DF023C71E0021ADFDF14CFA9D8846AEFBB1FF89314F248269E519A7381D735A911CB90

Function 007B0062 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 007B016A
IsValidCodePage.KERNEL32(00000000), ref: 007B01A8
IsValidLocale.KERNEL32(?,00000001), ref: 007B01BB
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 007B0203
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 007B021E

Strings

`/|, xrefs: 007B0117

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: `/|
API String ID: 415426439-4231599944
Opcode ID: 7941e2f7e5db30c4746540e6714b412b68e66059e4197eea988ad3bdacb02f0c
Instruction ID: d9d13fc29794a780de9bdec86399df8a60739f33c0ed19caf28306e9c2307bf5
Opcode Fuzzy Hash: 7941e2f7e5db30c4746540e6714b412b68e66059e4197eea988ad3bdacb02f0c
Instruction Fuzzy Hash: 63515D71A00209AFEB24EFA9CC49BEF77B8BF44700F144529E905E7191E7B8D904CBA5

Function 007B07C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,007B0198,00000002,00000000,?,?,?,007B0198,?,00000000), ref: 007B0860
GetLocaleInfoW.KERNEL32(?,20001004,007B0198,00000002,00000000,?,?,?,007B0198,?,00000000), ref: 007B0889
GetACP.KERNEL32(?,?,007B0198,?,00000000), ref: 007B089E

Strings

OCP, xrefs: 007B081B
ACP, xrefs: 007B07E5

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c39277727e1aa47351ff887bb4e0c6773a981adf77b5b60f097a4f738941bf70
Instruction ID: e17ca48c7e8160b9af644c8d6e2c8234d5d0dc03447fce116c7ae70222cd6130
Opcode Fuzzy Hash: c39277727e1aa47351ff887bb4e0c6773a981adf77b5b60f097a4f738941bf70
Instruction Fuzzy Hash: 25219F22A40101EAEB348F54C945BDB73AAEF94B60B56C438E90EDB114E73ADF40C3D0

Function 007B0DA9 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 007B0E99
FindNextFileW.KERNEL32(00000000,?), ref: 007B0F8D
FindClose.KERNEL32(00000000), ref: 007B0FCC
FindClose.KERNEL32(00000000), ref: 007B0FFF

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 0cce675e10cdd8f2e980ceb9b5311f3a3de384f7e6f7d85cbde1af02faaaa507
Instruction ID: 1b9a4c18080f3410e8c117c18a34571daef17c42352b2548e53c20b97d168184
Opcode Fuzzy Hash: 0cce675e10cdd8f2e980ceb9b5311f3a3de384f7e6f7d85cbde1af02faaaa507
Instruction Fuzzy Hash: 1671D271945158AFDF31AF248C9DBFFBBB8AB45300F5442D9E049A3211EB399E848F54

Function 0079E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0079E438
IsDebuggerPresent.KERNEL32 ref: 0079E504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0079E51D
UnhandledExceptionFilter.KERNEL32(?), ref: 0079E527

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 08f61cc5a603dd4f47fe58248ba7b603ac65d7928db79627dd33b2f0904298c3
Instruction ID: 48513079d9ffca5d1c968d3cb155fb9c3d3ba39a5e3f096b65e3c7abad94492b
Opcode Fuzzy Hash: 08f61cc5a603dd4f47fe58248ba7b603ac65d7928db79627dd33b2f0904298c3
Instruction Fuzzy Hash: 7931D9B5D01218DBDF21DFA5D949BCDBBB8AF08304F1041AAE40CAB250EB759A85CF45

Function 007B034E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007B03A2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007B03EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007B04B2

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: b8603ae0471a4e6e8bc2c4fc162d3529224b9b810fdd809ae8f5bd1b1c335b15
Instruction ID: 2c10f95f3edac0f9712c81293ccc964cd252696449362a063492ef3bd0eb629d
Opcode Fuzzy Hash: b8603ae0471a4e6e8bc2c4fc162d3529224b9b810fdd809ae8f5bd1b1c335b15
Instruction Fuzzy Hash: ED616F719402079FEB28DF28CD86BAB77A8EF55300F1041A9ED05C6685FB78DA91DF90

Function 007A72FD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 007A73F5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 007A73FF
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 007A740C

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9b25a3b48f7913f0a88039a86e244ccab7d70c81c26f613b5c5a1e776fec0ea8
Instruction ID: 95e7123afe4771b0921db424d781e2b18c9651775565ecf7b4b2293000a611bd
Opcode Fuzzy Hash: 9b25a3b48f7913f0a88039a86e244ccab7d70c81c26f613b5c5a1e776fec0ea8
Instruction Fuzzy Hash: 3231C5759012199BCB21DF25DD89BCDBBB8BF48310F5082EAE41CA7250E7749F858F44

Function 007B0600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007B0654

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 94c3a90facfbe415df1c290282b11b2e6c7473cc0ddd3ec57c527ad6a86cacb1
Instruction ID: 252a7ff213d1abbca6d58a19bbe328ed78572ba1700e675f820dad987dfa2e26
Opcode Fuzzy Hash: 94c3a90facfbe415df1c290282b11b2e6c7473cc0ddd3ec57c527ad6a86cacb1
Instruction Fuzzy Hash: 39219272655206ABDB28AB24DC46FBB73A8EF85314B10417AFD05D6242EB78ED10CB94

Function 007B02B3 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

EnumSystemLocalesW.KERNEL32(007B034E,00000001,00000000,?,-00000050,?,007B013E,00000000,-00000002,00000000,?,00000055,?), ref: 007B0325

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 42b97e3084b9e239f26548564623fab85471b0945cb7cb7e0aa6be1153b29ec4
Instruction ID: d416855ea597911e594f817e9c018e12845d6fb0e3326d9fb2655ec1826b19e2
Opcode Fuzzy Hash: 42b97e3084b9e239f26548564623fab85471b0945cb7cb7e0aa6be1153b29ec4
Instruction Fuzzy Hash: 6F1102362047059FDB289F3988A56BBB7A1FB80358B14442DE98687B40D779A942CB80

Function 007B0720 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 007B0774

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d7fa31bb54d0c837b75eec39c25b7abac341700372dc578546ddc8718c5b8697
Instruction ID: 65fee189d6c1e76933d2f0f0e4ea9341ddd87ca5b3bfbf013456da2673ef6948
Opcode Fuzzy Hash: d7fa31bb54d0c837b75eec39c25b7abac341700372dc578546ddc8718c5b8697
Instruction Fuzzy Hash: 0A11A372650206AFDB14AB28DD4AABBB7ECEF45310B10417AF905D7241EF3CE9048B90

Function 007B08CD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,007B056A,00000000,00000000,?), ref: 007B08F9

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 53a1b516576dc295bbe539b895ea4c7cf7517f47f6ac457a22f91cd18b4a25f4
Instruction ID: 5d3161d5c42e9312456c755e6d3a90492193d999ad76fdaab33c7cd309738c21
Opcode Fuzzy Hash: 53a1b516576dc295bbe539b895ea4c7cf7517f47f6ac457a22f91cd18b4a25f4
Instruction Fuzzy Hash: 6C018632610116BFEB285A248C15BFB7768DB40754F154529EC47E3181EA78FE41CAD4

Function 007B05A1 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

EnumSystemLocalesW.KERNEL32(007B0600,00000001,?,?,-00000050,?,007B0106,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 007B05EB

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4ee5373bd23220569684b72c88054d5130e247c08bf199b9c687bf5760284b2c
Instruction ID: 98dac9c437da4217a2f934d33b8641047e14d1673479e6c8ab3f60d6b0f32616
Opcode Fuzzy Hash: 4ee5373bd23220569684b72c88054d5130e247c08bf199b9c687bf5760284b2c
Instruction Fuzzy Hash: 70F0C2362003045FEB245F399885BAB7BA5EF80368F05852CF9464BA90D6B9AC02CA90

Function 007ABFF0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007A7594: EnterCriticalSection.KERNEL32(?,?,007AB440,?,007C5B00,00000008,007AB332,?,?,?), ref: 007A75A3

EnumSystemLocalesW.KERNEL32(007ABFE3,00000001,007C5B80,0000000C,007AB948,-00000050), ref: 007AC028

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7aeb3efef22e8902fc5989b876dc8f63f2d6c5b23224ca94d060213498d63914
Instruction ID: 75418ed94529d67020ab36f22e937ad93dbb71d79f2bb5ff0b7548e2719e8ded
Opcode Fuzzy Hash: 7aeb3efef22e8902fc5989b876dc8f63f2d6c5b23224ca94d060213498d63914
Instruction Fuzzy Hash: F7F03772A40204EFEB40EF98E84AB9D7BF0FB49720F10821AF400DB2A0DB7959008F45

Function 007B06D5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

EnumSystemLocalesW.KERNEL32(007B0720,00000001,?,?,?,007B0160,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 007B070C

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0925500159e7458b07372aea8663091836f5672c6b6d1e5911edffec1c724060
Instruction ID: 6012516f89680f1039a9cfecfc655d72e63cfbba7a0034939fec2a0d911ef573
Opcode Fuzzy Hash: 0925500159e7458b07372aea8663091836f5672c6b6d1e5911edffec1c724060
Instruction Fuzzy Hash: BEF0E53A3403055BCB149F36D859BABBFA4EFC2754B0A4058FA058B691CA79E842CBD4

Function 007ABA4C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,007A62F0,?,20001004,00000000,00000002,?,?,007A5202), ref: 007ABA80

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 58c4ce3b8c49b3faec95936a5c2564ade9f41b7444fa3da74d2aabbc8b45bc7a
Instruction ID: 2a4489d38eff042128dd8b222fe2f032c3fed27cd386a4d9cbd26c67ad5fef72
Opcode Fuzzy Hash: 58c4ce3b8c49b3faec95936a5c2564ade9f41b7444fa3da74d2aabbc8b45bc7a
Instruction Fuzzy Hash: 0CE08632504118FBCF226F61DC08EAE3F25EF85761F018214FD0665122CB399D21AAE4

Function 0079E420 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E541), ref: 0079E425

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7121c13189f6af09d8a59628cbeafd6deb53e1275b1065b769c7134909e7a6ad
Instruction ID: 89c2633dc6e7c904de247f8855e85c1bbd533659510b414fe1f00303669c8dde
Opcode Fuzzy Hash: 7121c13189f6af09d8a59628cbeafd6deb53e1275b1065b769c7134909e7a6ad
Instruction Fuzzy Hash:

Function 007AC705 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 007AC705

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 556c11f1aac4e658a66dacb653d822ed6103dbaefebf7cc514abb489b9cad890
Instruction ID: 91fc770b5e193d20fa399f47917dc4f8da3bb8ed73d7539b6ddc3dd1eafa2991
Opcode Fuzzy Hash: 556c11f1aac4e658a66dacb653d822ed6103dbaefebf7cc514abb489b9cad890
Instruction Fuzzy Hash: 71A011302002808F83808F32AA08A0C3BE8AA80A8830AC82EA808C0020EA3880008F0A

Function 007BA1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,007BA19D,?,?,?,?,?,?,?,?,?), ref: 007BA258
__alloca_probe_16.LIBCMT ref: 007BA313
__alloca_probe_16.LIBCMT ref: 007BA3A2
__freea.LIBCMT ref: 007BA3ED
__freea.LIBCMT ref: 007BA3F3
__freea.LIBCMT ref: 007BA429
__freea.LIBCMT ref: 007BA42F
__freea.LIBCMT ref: 007BA43F

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 907122898edf1b11ab2f05a8b8f2af3f86bf84a9ea1dc27c4dda9c9535e80108
Instruction ID: ca62dd2218d418b61fc8abf85e8183041f64f88d162b3482c82fc5621ffe1585
Opcode Fuzzy Hash: 907122898edf1b11ab2f05a8b8f2af3f86bf84a9ea1dc27c4dda9c9535e80108
Instruction Fuzzy Hash: C571C67290024ABBDF21BF588C86BEE77E5EF89310F144159E944B7241EB7E9C448752

Function 007ADC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 007ADD01

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction ID: 13b9373116254568d7d6a71c332b6d05ab4b1bb2fc0a0f68d1ec1172154de16f
Opcode Fuzzy Hash: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction Fuzzy Hash: ACB16772A04355AFDB358F68CC81BEE7BA5EFD7310F144256E812AF282D2789D01C7A0

Function 0079F7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0079F827
___except_validate_context_record.LIBVCRUNTIME ref: 0079F82F
_ValidateLocalCookies.LIBCMT ref: 0079F8B8
__IsNonwritableInCurrentImage.LIBCMT ref: 0079F8E3
_ValidateLocalCookies.LIBCMT ref: 0079F938

Strings

csm, xrefs: 0079F8CD

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: eea1ed973a89ef8a349fa4533e6ff9af2a3862476c5523ccc7c44827f6c70ec2
Instruction ID: dacfec19ee106111569db4613fb989dc76f17c860a7f16946b3b21362667b609
Opcode Fuzzy Hash: eea1ed973a89ef8a349fa4533e6ff9af2a3862476c5523ccc7c44827f6c70ec2
Instruction Fuzzy Hash: B141A430E00218EFCF10EF68D895E9E7BB5AF45324F148169E815EB392D739AE45CB91

Function 0079EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0079EB22
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0079EB30
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0079EB41

Strings

GetTempPath2W, xrefs: 0079EB36
GetSystemTimePreciseAsFileTime, xrefs: 0079EB2A
kernel32.dll, xrefs: 0079EB1D

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 815e56506d1efbd93988fad4f55e7dd5cbdb8b21b2a07ffe36ecf1dc8d708f41
Instruction ID: 3bc4c1cf485d36048ffd5e3b43bc93891bc80671fc04e4de3c724881aeb18791
Opcode Fuzzy Hash: 815e56506d1efbd93988fad4f55e7dd5cbdb8b21b2a07ffe36ecf1dc8d708f41
Instruction Fuzzy Hash: 70D09E775893206FC3049B71BC19D9A3FA5AA05715305C46DF802D2661D7BC49418F9C

Function 007B8A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217bc49e343616431894c7f2ff7255f3da4aecdea4e93dc69f45eaec57139892
Instruction ID: e0ab5a672eaef48a10a75374b1bec0cc6ebca53cda2a7b4c09f76ea8312c4087
Opcode Fuzzy Hash: 217bc49e343616431894c7f2ff7255f3da4aecdea4e93dc69f45eaec57139892
Instruction Fuzzy Hash: 38B106B0A04249EFDB51DF68C845BEE7BB9BF59310F144299E4009B2D2CB7C9D41CB62

Function 007A9AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007A9AEB,0079F5BA,0079E585), ref: 007A9B02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007A9B10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007A9B29
SetLastError.KERNEL32(00000000,007A9AEB,0079F5BA,0079E585), ref: 007A9B7B

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 83474cf27c3b369a0bfedb0e111047e2e30b576642ee13202802351fec5cf1ca
Instruction ID: 7bce679a1f621b0e99518ba51909e39ac7e737305302256498af3d508998f573
Opcode Fuzzy Hash: 83474cf27c3b369a0bfedb0e111047e2e30b576642ee13202802351fec5cf1ca
Instruction Fuzzy Hash: 090168B210AA11AE9B242675BC89E9F2B55FB43770720832DF216615F0EE2D4C108168

Function 007AA3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 007AA4DB
CallUnexpected.LIBVCRUNTIME ref: 007AA754

Strings

csm, xrefs: 007AA512
csm, xrefs: 007AA3F9
csm, xrefs: 007AA466

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 0806ea81326042435e37810944a5fd3d612a5e6582e7344807a24e2d3269a21e
Instruction ID: 0beae794bca124c8cfbe3e9578a54db7424f6e2a19127596e9e3777afea993e7
Opcode Fuzzy Hash: 0806ea81326042435e37810944a5fd3d612a5e6582e7344807a24e2d3269a21e
Instruction Fuzzy Hash: 13B1CF71800209EFCF15DFA4C8849AEBBB5FF96310F14465AF9056B212D739DA61CF92

Function 007A4A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9ABFD95C,?,?,00000000,007BB3E5,000000FF,?,007A4B4A,00000002,Ixz,007A4BE6,Ixz), ref: 007A4ABE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007A4AD0
FreeLibrary.KERNEL32(00000000,?,?,00000000,007BB3E5,000000FF,?,007A4B4A,00000002,Ixz,007A4BE6,Ixz), ref: 007A4AF2

Strings

mscoree.dll, xrefs: 007A4AB7
CorExitProcess, xrefs: 007A4AC8

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 00a8fbedaf06f82ff659ab73161d9343ec4df9dc3cf497d7f3a5aa9314dce8b3
Instruction ID: a97a4ca8e5e5b90c5e84bf8e2428134ea9e9cd74979ea45f79180194d695e287
Opcode Fuzzy Hash: 00a8fbedaf06f82ff659ab73161d9343ec4df9dc3cf497d7f3a5aa9314dce8b3
Instruction Fuzzy Hash: C001A776944615EFCB119F80DC05FAE7BF8FB44B11F00862DF822A2690DBBD9900CA98

Function 007AC516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 007AC59B
__alloca_probe_16.LIBCMT ref: 007AC664
__freea.LIBCMT ref: 007AC6CB

Part of subcall function 007AAD61: RtlAllocateHeap.NTDLL(00000000,007ACD3A,?,?,007ACD3A,00000220,?,00000000,?), ref: 007AAD93

__freea.LIBCMT ref: 007AC6DE
__freea.LIBCMT ref: 007AC6EB

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: ee9d5d6df1d02cc9e3401b0b8d29596e6bc4d22514085680493f879d0ea18d07
Instruction ID: 97e54fa5ed4b20ce0e222a4cfd0592dcb151341d242c352e2404f3d0fd777319
Opcode Fuzzy Hash: ee9d5d6df1d02cc9e3401b0b8d29596e6bc4d22514085680493f879d0ea18d07
Instruction Fuzzy Hash: 0251B472601246FFEF22DF648C85DBB76A9EFC6710B25062AFD04E6111E779DC108760

Function 0079E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0079E8FB
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,007BB3C8,000000FF,?,0079B697), ref: 0079E91A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,007BB3C8,000000FF,?,0079B697), ref: 0079E948
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,007BB3C8,000000FF,?,0079B697), ref: 0079E9A3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,007BB3C8,000000FF,?,0079B697), ref: 0079E9BA

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 6dade3e41d732de234b9627b58d9e9fcd35240e5432a384505846b7fc5abf278
Instruction ID: da623b8e0b736c2acd7ed179ede172eb6ad76e455037dde75550dc0233eef2ba
Opcode Fuzzy Hash: 6dade3e41d732de234b9627b58d9e9fcd35240e5432a384505846b7fc5abf278
Instruction Fuzzy Hash: DD415931500606DFCF60DF65E495A7AB3F4FF05321B108A2AE45697A50D738F984CB52

Function 0079C054 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0079C05B
std::_Lockit::_Lockit.LIBCPMT ref: 0079C066
std::_Lockit::~_Lockit.LIBCPMT ref: 0079C0D4

Part of subcall function 0079BF5D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0079BF75

std::locale::_Setgloballocale.LIBCPMT ref: 0079C081
_Yarn.LIBCPMT ref: 0079C097

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: ddb3d051f2a452d02a2b36980d7839c30b64657fb5cd3c61dd31ad662e87c1bb
Instruction ID: 353dc7fb2363899f1c936e7b5bd38bb73691f1b4cc2ab700a1f81a3ee27397b3
Opcode Fuzzy Hash: ddb3d051f2a452d02a2b36980d7839c30b64657fb5cd3c61dd31ad662e87c1bb
Instruction Fuzzy Hash: BE01BC75A00110CBCF0AEB24ED59A7D7BB1BF81720B15405CE81657381CF7C6E42CB85

Function 007AF766 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007AAFB3: GetLastError.KERNEL32(?,?,007A495A,007C56B0,0000000C), ref: 007AAFB7
Part of subcall function 007AAFB3: SetLastError.KERNEL32(00000000), ref: 007AB059

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,007A509A,?,?,?,00000055,?,-00000050,?,?,?), ref: 007AF825
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,007A509A,?,?,?,00000055,?,-00000050,?,?), ref: 007AF85C

Strings

utf8, xrefs: 007AF92E
`/|, xrefs: 007AF7D9

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: `/|$utf8
API String ID: 943130320-3491862084
Opcode ID: 052749dff1f2c4e31363c84bb4481d49b7da9684b48b86e4f318e5673bad2520
Instruction ID: 30ad38100b31144a90a05340de3cdab72448de969798cc91f6272ca4ee0f3984
Opcode Fuzzy Hash: 052749dff1f2c4e31363c84bb4481d49b7da9684b48b86e4f318e5673bad2520
Instruction Fuzzy Hash: C3510471600306FADB25ABB08C46BAB73A8EFC6740F104639F545D7081FB7CF94086A5

Function 007B52C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,007B535D,00000000,?,007C8180,?,?,?,007B5294,00000004,InitializeCriticalSectionEx,007BF434,007BF43C), ref: 007B52CE
GetLastError.KERNEL32(?,007B535D,00000000,?,007C8180,?,?,?,007B5294,00000004,InitializeCriticalSectionEx,007BF434,007BF43C,00000000,?,007AAA0C), ref: 007B52D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007B5300

Strings

api-ms-, xrefs: 007B52E5

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fe06b252943515c63853f1ed419983f6caeaf124a237771b7cb2143ccfbc0be3
Instruction ID: d1c292355d87dbbb143b3393febdad05077d3bcc5eb24e11e40c161f084357ae
Opcode Fuzzy Hash: fe06b252943515c63853f1ed419983f6caeaf124a237771b7cb2143ccfbc0be3
Instruction Fuzzy Hash: 15E04F70280305B7EF202FA1ED0AF997F99AB10B86F148034F90DA85E1D7BAED108648

Function 007B30BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(9ABFD95C,00000000,00000000,?), ref: 007B3122

Part of subcall function 007AAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007AC6C1,?,00000000,-00000008), ref: 007AAED2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 007B3374
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 007B33BA
GetLastError.KERNEL32 ref: 007B345D

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 356498ecae9248c9971c3b24801a15d7ae5b204e72751daf50bf906e52848f43
Instruction ID: f13b02dbf6be0135506191368ec7f0638ddbe5f65f37680e5a76640af0d90a75
Opcode Fuzzy Hash: 356498ecae9248c9971c3b24801a15d7ae5b204e72751daf50bf906e52848f43
Instruction Fuzzy Hash: A2D17CB5D042889FCF15CFA8C884AEDBBB5FF49310F24856AE425EB251D638AA45CB50

Function 007AA0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 007AA1AA
___AdjustPointer.LIBCMT ref: 007AA1CD
___AdjustPointer.LIBCMT ref: 007AA269

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e0a90e668855848deffdb77e901950b3fbde0bddf5ccf81a63dd9024a24f3b94
Instruction ID: 76fbe4971f27bd2ae497cdbdff6636056d9e8d2b96261a3e1c8ebd198ba9069c
Opcode Fuzzy Hash: e0a90e668855848deffdb77e901950b3fbde0bddf5ccf81a63dd9024a24f3b94
Instruction Fuzzy Hash: 8E51E072600606FFDB298F54D845B6A77B4FFC2710F14462DE81687291E73AEDA0CB92

Function 007B0B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 007AAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007AC6C1,?,00000000,-00000008), ref: 007AAED2

GetLastError.KERNEL32 ref: 007B0BEA
__dosmaperr.LIBCMT ref: 007B0BF1
GetLastError.KERNEL32 ref: 007B0C2B
__dosmaperr.LIBCMT ref: 007B0C32

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 189459469cf421da764fa2ece050c0d3529cdb7a9d0cdb301ea13afc20519881
Instruction ID: f0a37c623cbf966cb74e92c4b9f2c568881a58072a98b90f41bec86fee1a5d34
Opcode Fuzzy Hash: 189459469cf421da764fa2ece050c0d3529cdb7a9d0cdb301ea13afc20519881
Instruction Fuzzy Hash: C621A1B1600215EF9B20AF61CC85AEFBBA9FF413647148618F95997211DB38EC108BE0

Function 007A1652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389e50cf9bb9bcfba52d1c718fb0a73fbcabbefb4ff61f7e5b8519be325226bd
Instruction ID: e5ae1eba6a45b9baef602c0ca75fe6e3960ab353008c6d7995aa8534a3860629
Opcode Fuzzy Hash: 389e50cf9bb9bcfba52d1c718fb0a73fbcabbefb4ff61f7e5b8519be325226bd
Instruction Fuzzy Hash: 8921C671600215EFEB10AF618C85D7B77ADAFC2364F544B24F915C7551EB39EC1087A0

Function 007B1F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007B1F84

Part of subcall function 007AAE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,007AC6C1,?,00000000,-00000008), ref: 007AAED2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007B1FBC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007B1FDC

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 24538676a735cefb238e29975331fde1b77294bfe87e95a4c2120e656a7651da
Instruction ID: 19bbacd85b86a6b7b5926bfdd14d753ad4f6609eefc7971a33ec6cf9c52355fa
Opcode Fuzzy Hash: 24538676a735cefb238e29975331fde1b77294bfe87e95a4c2120e656a7651da
Instruction Fuzzy Hash: 0A11C4B2606619BEA63137B15C8EDBF6A6CDE8A3A57514519F801D2102FB3CCD01D3B6

Function 00792A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00792A8D
GetCurrentThreadId.KERNEL32 ref: 00792A9B
std::_Throw_Cpp_error.LIBCPMT ref: 00792AB4
std::_Throw_Cpp_error.LIBCPMT ref: 00792AF3

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: c5d3e82a7b01031634980f4cfd79be1a60aa8e152c69871e00cd8cd715780f45
Instruction ID: ea829201a3a6fda02636b9bd5095cd62074e4eaf3c0bd442a569d0b42be96ea8
Opcode Fuzzy Hash: c5d3e82a7b01031634980f4cfd79be1a60aa8e152c69871e00cd8cd715780f45
Instruction Fuzzy Hash: 3921C0B4E04209DFCF08EFA8E5956AEBBF0EF48300F01845DE859AB351D7389941CB51

Function 007BA470 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,007B9952,00000000,00000001,?,?,?,007B34B1,?,00000000,00000000), ref: 007BA487
GetLastError.KERNEL32(?,007B9952,00000000,00000001,?,?,?,007B34B1,?,00000000,00000000,?,?,?,007B2DF7,?), ref: 007BA493

Part of subcall function 007BA4E4: CloseHandle.KERNEL32(FFFFFFFE,007BA4A3,?,007B9952,00000000,00000001,?,?,?,007B34B1,?,00000000,00000000,?,?), ref: 007BA4F4

___initconout.LIBCMT ref: 007BA4A3

Part of subcall function 007BA4C5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,007BA461,007B993F,?,?,007B34B1,?,00000000,00000000,?), ref: 007BA4D8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,007B9952,00000000,00000001,?,?,?,007B34B1,?,00000000,00000000,?), ref: 007BA4B8

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 341f215e91a149603805847e1a5b631f9f80a260d460e47389fe8330dc7917bf
Instruction ID: bcc57f3461d3ebe110e066effff094ccb1ea19a8d0fc0c5f8f2dc28032d739d4
Opcode Fuzzy Hash: 341f215e91a149603805847e1a5b631f9f80a260d460e47389fe8330dc7917bf
Instruction Fuzzy Hash: 28F01C36000695BBCF262F95DC0CEC93F66FB493A0B018414FA1D85120DA7A8920EB99

Function 0079EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0079EFB9
GetCurrentThreadId.KERNEL32 ref: 0079EFC8
GetCurrentProcessId.KERNEL32 ref: 0079EFD1
QueryPerformanceCounter.KERNEL32(?), ref: 0079EFDE

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 84c3dcb1a7cae4c42b7b4b8270e909baa8276e6e309a427ac55b254cda41d93c
Instruction ID: 1ee632d5895465cd21355cc435730ea82d839ddc376a973c678b773e0861c0b8
Opcode Fuzzy Hash: 84c3dcb1a7cae4c42b7b4b8270e909baa8276e6e309a427ac55b254cda41d93c
Instruction Fuzzy Hash: B3F0B270C0020CEFCB04DFB4CA4898EBBF4FF1C200B91899AA412E7150E734AB44CB54

Function 007AA7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,007AA6E1,?,?,00000000,00000000,00000000,?), ref: 007AA805

Strings

RCC, xrefs: 007AA81F
MOC, xrefs: 007AA817

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 733fa0ee535499dffa71168e272399205254a0ff5e57c3dfad0c8ea82e25a770
Instruction ID: e47beb3ea8d23bef337505ab89ed060cacc8b51714d22169e7820b9d19f70d86
Opcode Fuzzy Hash: 733fa0ee535499dffa71168e272399205254a0ff5e57c3dfad0c8ea82e25a770
Instruction Fuzzy Hash: FA41597290020AEFCF16DF94CC81AAEBBB5BF89300F158269F904A6211D339A991DB51

Function 007AA04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 007AA2C3

Strings

csm, xrefs: 007AA2E5
csm, xrefs: 007AA356

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 7daae0d0831243e7c82ff6d8a00bbb8e5c7d976f33ec77784a4d9c20844bd192
Instruction ID: 47678272e3a68ab8866a5818be313424a134672aa27c8bd48471956b71274b72
Opcode Fuzzy Hash: 7daae0d0831243e7c82ff6d8a00bbb8e5c7d976f33ec77784a4d9c20844bd192
Instruction Fuzzy Hash: AD318B32500319FBCF268F54C8449BA7B66FF8A715B18875AF85449221D33ADCA1DB92

Function 00794B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00794B2B

Part of subcall function 0079BE78: _Yarn.LIBCPMT ref: 0079BE98
Part of subcall function 0079BE78: _Yarn.LIBCPMT ref: 0079BEBC

Strings

^Iy, xrefs: 00794B1C
bad locale name, xrefs: 00794B9B

Memory Dump Source

Source File: 00000007.00000002.2451450015.0000000000791000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00790000, based on PE: true

Associated: 00000007.00000002.2451401006.0000000000790000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451722799.00000000007BC000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451753299.00000000007C6000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451778685.00000000007C7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451831201.00000000007CA000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000007.00000002.2451858313.00000000007CC000.00000008.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_790000_a762d7e2e8.jbxd

Similarity

API ID: Yarn$LockitLockit::_std::_
String ID: ^Iy$bad locale name
API String ID: 360232963-279485503
Opcode ID: 3a53651b7a03f75ac92032e5aa8994cd6494c6b3b084037e304c0a59409f4f67
Instruction ID: f2d425ae9f5d702bce237ac05a5cf0d98fea6b24f2e495bf429b4f34ea400c09
Opcode Fuzzy Hash: 3a53651b7a03f75ac92032e5aa8994cd6494c6b3b084037e304c0a59409f4f67
Instruction Fuzzy Hash: BD011270904108DFCF08FFA9E499BADBBB1AF4530CF00446CE64657342CA34AA91CBA6

Analysis Process: a762d7e2e8.exePID: 8040, Parent PID: 7976COMMON

Non-executed Functions

Function 00E8610F Relevance: 5.2, Strings: 4, Instructions: 152COMMON

Download Yara Rule

Strings

8f08, xrefs: 00E861EA
n, xrefs: 00E86197
JONE, xrefs: 00E86224
JONE, xrefs: 00E86162

Memory Dump Source

Source File: 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E78000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_e6f000_a762d7e2e8.jbxd

Similarity

API ID:
String ID: 8f08$JONE$JONE$n
API String ID: 0-3598624002
Opcode ID: 6ba1f5e65ee3c9472124f873d65a655355cd2a7a5257719860a7375005a32049
Instruction ID: 9ef09e7afe702bcf2d4b705200d6d8626599083412d73d9ecd63ce2ce00e45af
Opcode Fuzzy Hash: 6ba1f5e65ee3c9472124f873d65a655355cd2a7a5257719860a7375005a32049
Instruction Fuzzy Hash: 47319A9540EBC01FD31307705D6AAA13FB4DB63329B1E1ACBD0DA9F1B7D00A094AC366

Function 00E8610F Relevance: 5.2, Strings: 4, Instructions: 152COMMON

Download Yara Rule

Strings

n, xrefs: 00E86197
8f08, xrefs: 00E861EA
JONE, xrefs: 00E86224
JONE, xrefs: 00E86162

Memory Dump Source

Source File: 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_e6f000_a762d7e2e8.jbxd

Similarity

API ID:
String ID: 8f08$JONE$JONE$n
API String ID: 0-3598624002
Opcode ID: 6ba1f5e65ee3c9472124f873d65a655355cd2a7a5257719860a7375005a32049
Instruction ID: 9ef09e7afe702bcf2d4b705200d6d8626599083412d73d9ecd63ce2ce00e45af
Opcode Fuzzy Hash: 6ba1f5e65ee3c9472124f873d65a655355cd2a7a5257719860a7375005a32049
Instruction Fuzzy Hash: 47319A9540EBC01FD31307705D6AAA13FB4DB63329B1E1ACBD0DA9F1B7D00A094AC366

Function 00E86130 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

8f08, xrefs: 00E861EA
n, xrefs: 00E86197
JONE, xrefs: 00E86224
JONE, xrefs: 00E86162

Memory Dump Source

Source File: 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E78000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_e6f000_a762d7e2e8.jbxd

Similarity

API ID:
String ID: 8f08$JONE$JONE$n
API String ID: 0-3598624002
Opcode ID: ec61843d88c3adc3762fd94f2bbf85f283886074e8de12eaff26eb2f9e6c10a7
Instruction ID: e282b582151b7e42d60e1d86802536109e46513e4102e32401240c59b89909b5
Opcode Fuzzy Hash: ec61843d88c3adc3762fd94f2bbf85f283886074e8de12eaff26eb2f9e6c10a7
Instruction Fuzzy Hash: D321A1D640EAC41FD31706245D6AAB23FA8DB63315B1A1ACBD0DA9B1B7C0464D4AC362

Function 00E86130 Relevance: 5.1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

Strings

n, xrefs: 00E86197
8f08, xrefs: 00E861EA
JONE, xrefs: 00E86224
JONE, xrefs: 00E86162

Memory Dump Source

Source File: 00000009.00000003.2687208821.0000000000E73000.00000004.00000020.00020000.00000000.sdmp, Offset: 00E73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_e6f000_a762d7e2e8.jbxd

Similarity

API ID:
String ID: 8f08$JONE$JONE$n
API String ID: 0-3598624002
Opcode ID: ec61843d88c3adc3762fd94f2bbf85f283886074e8de12eaff26eb2f9e6c10a7
Instruction ID: e282b582151b7e42d60e1d86802536109e46513e4102e32401240c59b89909b5
Opcode Fuzzy Hash: ec61843d88c3adc3762fd94f2bbf85f283886074e8de12eaff26eb2f9e6c10a7
Instruction Fuzzy Hash: D321A1D640EAC41FD31706245D6AAB23FA8DB63315B1A1ACBD0DA9B1B7C0464D4AC362

Input	Output
URL: https://learn.microsoft.com Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://learn.microsoft.com
URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=f4ab0f7633.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "This application could not be started", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=f4ab0f7633.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }
	{ "brands": [ "Microsoft" ] }

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5uVReRlvME.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Phishing

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAAEHDBFIDAFIDHJEBFB

Windows Analysis Report
5uVReRlvME.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre